adb 1 2 adb devices # 查看设备 adb shell ida调试so 一般断在Jni_onload 1 2 adb forward tcp:23946 tcp:23946 adb shell 1 2 cd /data/local/tmp ./androidserver androidserver的位数应该和so对应，

ta 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 //------------------------------------------------ //--- 010 Editor v10.0.2 Binary Template // // File: // Authors: // Version: // Purpose: // Category: // File Mask: // ID Bytes: // History: //------------------------------------------------ #define TEE_FS_HTREE_IV_SIZE 16 #define TEE_FS_HTREE_TAG_SIZE 16 #define TEE_FS_HTREE_FEK_SIZE 16 typedef struct _tee_fs_htree_meta { UINT64 length; }tee_fs_htree_meta; typedef struct _tee_fs_htree_imeta { struct tee_fs_htree_meta meta; UINT32 max_node_id; UINT32 nop; }tee_fs_htree_imeta; typedef struct _tee_fs_htree_image { UCHAR iv[TEE_FS_HTREE_IV_SIZE]; UCHAR tag[TEE_FS_HTREE_TAG_SIZE]; UCHAR enc_fek[TEE_FS_HTREE_FEK_SIZE]; UCHAR imeta[sizeof(struct tee_fs_htree_imeta)]; UINT32 counter; }tee_fs_htree_image; #define TEE_FS_HTREE_HASH_SIZE 32 #define TEE_FS_HTREE_IV_SIZE 16 #define TEE_FS_HTREE_TAG_SIZE 16 typedef struct _tee_fs_htree_node_image { /* Note that calc_node_hash() depends on hash first in struct */ UCHAR hash[TEE_FS_HTREE_HASH_SIZE]; UCHAR iv[TEE_FS_HTREE_IV_SIZE]; UCHAR tag[TEE_FS_HTREE_TAG_SIZE]; USHORT flags; }tee_fs_htree_node_image; //-------------------------------------- LittleEndian(); tee_fs_htree_image ver0_head; tee_fs_htree_image ver1_head; FSeek(0x1000); tee_fs_htree_node_image ver0_root_node; tee_fs_htree_node_image ver1_root_node; FSeek(0x2000); encrypted ta 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 //------------------------------------------------ //--- 010 Editor v10.

cpio 1 2 3 4 5 6 7 8 gcc -o exp -static exp.c -masm=intel -s -lpthread mv ./exp ./initramfs cd initramfs find . -print0 \ | cpio --null -ov --format=newc \ | gzip -9 > ../initramfs.cpio.gz cd .. mount 1 2 # ext4 sudo mount -o rw -osync -o auto -o exec rootfs.img rootfs 模板 1 2 3 4 5 6 7 8 9 10 11 12 13

前几天群里提到的问题，简单记录下查阅到的方法。 在C中调用汇编中定义的函数 以Linux x86为例，用汇编语言编写一个hello_world函数

USE ADB in WSL 1 2 3 # ADB export PATH="$PATH:/mnt/d/Tools/Android/SDK/platform-tools" alias adb="/mnt/d/Tools/Android/SDK/platform-tools/adb.exe" 由于将adb的路径alias后，默认在sh中是找不到的，若想在sh脚本中使用ADB，需在脚本前添加以下代码: 1 2 #!/bin/bash

exp 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 from pwn import * import sys context.log_level = "debug" if len(sys.argv) < 2: debug = True else: debug = False if debug: p = process("./") libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") else: p = remote("",) libc = ELF("./libc-2.31.so") ru