/images/gaga.jpg

呆呆的小窝~

Kernel

kallsyms 1 2 3 4 5 6 7 8 9 10 11 12 import idc import ida_funcs import ida_kernwin ksyms = open("/path/to/kallsyms.txt") for line in ksyms: addr = int(line[0:16],16) name = line[19:].replace('_','') name = line[19:].replace('\n','') idc.create_insn(addr) ida_funcs.add_func(addr) idc.set_name(addr,name) ida_kernwin.msg("%08X:%s"%(addr,name)) passwd 1 2 pwned:$1$aa$Sc4m1DBsyHWbRbwmIbGHq1:0:0:/root:/root:/bin/sh # 密码:lol cpio 1 2 3 4 5 6 7 8 gcc -o exp -static exp.c -masm=intel -s -lpthread mv ./exp ./initramfs

Misc

exp template 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 from pwn import * import sys context.log_level = "debug" if len(sys.argv) < 2: debug = True else: debug = False if debug: p = process("./") libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") else: p =

Apk杂记

adb 1 2 adb devices # 查看设备 adb shell ida调试so 一般断在Jni_onload 1 2 adb forward tcp:23946 tcp:23946 adb shell 1 2 cd /data/local/tmp ./androidserver androidserver的位数应该和so对应,

Optee_template

ta 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 //------------------------------------------------ //--- 010 Editor v10.0.2 Binary Template // // File: // Authors: // Version: // Purpose: // Category: // File Mask: // ID Bytes: // History: //------------------------------------------------ #define TEE_FS_HTREE_IV_SIZE 16 #define TEE_FS_HTREE_TAG_SIZE 16 #define TEE_FS_HTREE_FEK_SIZE 16 typedef struct _tee_fs_htree_meta { UINT64 length; }tee_fs_htree_meta; typedef struct _tee_fs_htree_imeta { struct tee_fs_htree_meta meta; UINT32 max_node_id; UINT32 nop; }tee_fs_htree_imeta; typedef struct _tee_fs_htree_image { UCHAR iv[TEE_FS_HTREE_IV_SIZE]; UCHAR tag[TEE_FS_HTREE_TAG_SIZE]; UCHAR enc_fek[TEE_FS_HTREE_FEK_SIZE]; UCHAR imeta[sizeof(struct tee_fs_htree_imeta)]; UINT32 counter; }tee_fs_htree_image; #define TEE_FS_HTREE_HASH_SIZE 32 #define TEE_FS_HTREE_IV_SIZE 16 #define TEE_FS_HTREE_TAG_SIZE 16 typedef struct _tee_fs_htree_node_image { /* Note that calc_node_hash() depends on hash first in struct */ UCHAR hash[TEE_FS_HTREE_HASH_SIZE]; UCHAR iv[TEE_FS_HTREE_IV_SIZE]; UCHAR tag[TEE_FS_HTREE_TAG_SIZE]; USHORT flags; }tee_fs_htree_node_image; //-------------------------------------- LittleEndian(); tee_fs_htree_image ver0_head; tee_fs_htree_image ver1_head; FSeek(0x1000); tee_fs_htree_node_image ver0_root_node; tee_fs_htree_node_image ver1_root_node; FSeek(0x2000); encrypted ta 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 //------------------------------------------------ //--- 010 Editor v10.

Mixed_c_with_asm

前几天群里提到的问题,简单记录下查阅到的方法。 在C中调用汇编中定义的函数 以Linux x86为例,用汇编语言编写一个hello_world函数

Adb

USE ADB in WSL 1 2 3 # ADB export PATH="$PATH:/mnt/d/Tools/Android/SDK/platform-tools" alias adb="/mnt/d/Tools/Android/SDK/platform-tools/adb.exe" 由于将adb的路径alias后,默认在sh中是找不到的,若想在sh脚本中使用ADB,需在脚本前添加以下代码: 1 2 #!/bin/bash