-
-
[原创]kctf-2023 第九题 突破防线 98k战队wp
-
发表于: 2023-9-22 01:33 11475
-
后面两段主要是逆向和内核两位大手子写的
本题叠buf式的考点让几位师傅隔着各种远程投屏互相帮忙调了几个通宵,无数次都在祈求出题人收了神通,不过最后还是做出来了。没打过内核,当时并不觉得把静态c程序exp改成shellcode可以很有可行性,随口提了一句,结果几位大爹说还真可以,属于歪打正着了,最后和IChild大爷被几个socket调用调戏了一通宵到精神恍惚。不知道是否有能在禁止execve/at的情况下更为精妙的可行思路。
大体流程:
1.利用用户态漏洞进行 rop 和布置 shellcode-seg1
2. rop 利用 mprotect 调用成功运行小段 shellcode-seg1
3.在 shellcode-seg1 中用 socket 操作读入大段 shellcode-seg2 (这段直接来自于打内核的 exp binary),并完成场景还原和跳转
4.跳转运行 shellcode-seg2 完成内核漏洞的利用(精神污染),篡改 busybox 的 poweroff 逻辑
5.杀 vm 进程,在防止内核崩掉(需要一点处理)的情况下让 init 高权限顺序执行 poweroff ,利用 8080 端口反弹信息。
用户态程序 vm 是 go 语言写的,在 插件 的帮助下顺利恢复函数名,再手动恢复下自定义结构体的信息就能得到程序逻辑。
开了 sandbox , dump 出来发现是禁用了 execve 和 execveat 。开了个 http server ,有三个接口,每个接口的输入格式都是 main.Req
的 json 形式。提取出来逻辑如下:
ioctl 调用说明这里要跟内核交互了。逆内核模块 vmfs ,得到几项功能:
create 会对 Size 做检测,不能大于 0x10000
mov_to_trash 会将 list 中已有的项添加到 trash 中,并释放分配的数组内存,但是没有置为空
delete_from_trash 将 trash 中的一项彻底删除,并将 list 中对应项释放掉并且置为空
set_data 和 get_data 就是向分配的数组中写入数据和拿出数据
sort 会对 list 中的项目排序,不同 method 值采用不同的排序算法。其中当 method = 3 时采用选择排序,而选择排序不是稳定的排序算法,即不能保证排序之前值相同的项在排序后保持相同的顺序,再结合 mov_to_trash 就可以 double free 。不过这是内核的利用部分了,用户态程序是没有 ff01 的接口的,需要先找用户态程序的漏洞。
在内核模块初始化时会自动添加一条 list 中的记录:
Size 为 0x10000 ,而用户态程序可创建的最大大小为 0x8000 ,如果只是看用户态程序是没问题的,而添加的这一条记录就给用户态程序带来了漏洞,因为 run-file 会将数据从内核复制到用户态程序中,用户态程序并没有检查 Size 的大小,用来保存数据的栈内存只有 0x8000 字节(即 4096 个 uint64 ),如果从内核里复制出来的长度大于 0x8000 字节就可以覆盖栈上数据,先覆盖的是 vm 执行时的 memory 结构体,覆盖指针、长度就可以任意读写;再之后是上层函数的 lr 指针,再后面是当前函数的参数,因为函数返回之前要调用第一个参数的一个虚表函数,所以需要设置为一个程序里的值。再后面就是随便栈溢出构造 rop 了。 arm 的 rop 不太好做,不过幸好能找到这样一条 gadget ,大概是类似于x86的 setcontext 的用法:
再结合 go 程序里自带的 syscall 函数,加上前面的任意地址读写,加上程序没开 pie ,可以直接在 bss 段写入 shellcode 之后调用 mprotect 改 bss 段权限,再跳转到 shellcode 执行,在 shellcode 中调用 accept 得到与用户交互的 fd ,这样就可以读取更多的 shellcode 用于执行,这样就可以进入到内核利用了。
接下来就是这题比较恶心的点了。调试时首先循环 read 4 号 fd ,发现不阻塞且无法得到大于 0 的结果。最后关掉 4 ,然后用对 socket fd 3 调用 sys_accept ,调了半天还是 accept 不进来,最后发现原来是 accept 不阻塞。最后循环 accept 和 recvfrom ,才开始稳定读取 shellcode 并利用。
由于禁用掉了 execve 和 execveat ,于是只能把用来打内核的 exp 的 binary 给读出来,作为 shellcode 来执行。 mmap 出代码段,即 exp 中的 0x23300000 和 stack 段,全部内存 dump 进去还原现场,设置完 sp 和 pc ,最后从 start 开始执行
周二事情比较多,加上俺也确实不太会逆向,所以专业的事情让专业的逆向爷爷来做。所以当我真正上手这个题的时候逻辑好像跟我无关了。
在我的视角中,只知道有内核菜单堆的几个功能,其中 0xff01 的 free 之后还留着 Dangling Pointer。并且,这个 Dangling Pointer 还会在选择排序之后被换位... 然后就是... Double Free~
补充一点:选择排序是一种不稳定的排序算法。在这个题中,选择排序会导致相同 id 不同 idx 的两个 object 位置发生交换。当其中一个已经是 Dangling Pointer 的时候,进行选择排序,再尝试 free 另一个 object。因为发生了交换,所以第二次 free 的还是原来的那个 object。这就构成了 Double Free。
POC 如下:
于是接下来就进入到常规 Linux kernel exploitation 的环节。Double Free 在内核堆利用中算是比较好利用的一种,而且这个题还可以控制 double free object 的大小,所以思路应该有很多。比如用直接用 tty_struct 泄露+ROP。
不过俺之前被 aarch64 的 ROP 整怕了,而且也不知道新内核里面 gadget 够不够用,思来想去还是别赌了,还是打稳定一点的 cross-cache 吧...
思路呢就和去年 N1CTF 的 Praymoon 差不多。指路牌 -> N1CTF 2022 Praymoon Write Up | V1me's Blog (imv1.me)
这里简单概括一下:
一切都看起来很简单,俺也在 6 个小时的时间内调通了内核 exp。此时正是凌晨 4 点,用户态那边也基本弄完了,一切都在向好的方向发展...
所以,为什么俺们又从早上搞到了晚上 9 点呢?
前情提要,用户态 vm 开了 seccomp,ban 掉了 execve 和 execveat。如果只是一个用户态题目,rop 执行 orw 也就结束了,但是... 我们还有一个内核 exp 的二进制需要上传执行。没有 shell,怎么传?传不了一点。
和用户态爷爷(还是 IChild)商量了一下,可以在用户态执行 shellcode 之后,就可以给我 mmap 一段 rwx 内存,我就可以手动把二进制文件"加载"到内存中,然后执行。(WHO NEEDS EXECVE? UH?)
然后,问题就来了。SegmentFault... SegmentFault... SegmentFault....
单步跟了一下,发现问题出现在栈上。 libc_start_main 会从栈上拿 env。所以,我们这次把一个合法的栈也拷贝进内存了。
然后。。。继续 SegmentFault。。。 WTF???
而且这次死的地方十分玄学,死在内核 exp 刚刚进去的 mmap syscall 中,也就是程序进了 mmap syscall 中再也没出来。。。
于是果断地拉来了巨神,在巨神的指导下把 aarch64 的 strace 编译好放到了 rootfs 里面,运行...
“这个 SIGURG 是你预期的吗?”
“【黑人问号】哪来的 SIGURG?”
“但它就是被 SIGURG 杀了...”
于是在 shellcode 里面 handle 了一下 SIGURG(此处省略 4 个小时。。。)
...
终于在马拉松式的调试一天之后,成功改完了 busybox,复用 8080 端口 nc -e 拿到了反弹的 root shell!
void
__cdecl main_main()
{
__int64
v0;
// x28
_QWORD *http_server;
// x0
__int64
v2;
// x0
__int64
v3;
// x1
__int64
v4;
// x0
void
*server_handle;
// [xsp+38h] [xbp-40h]
__int64
v6[2];
// [xsp+40h] [xbp-38h] BYREF
_QWORD v7[4];
// [xsp+50h] [xbp-28h] BYREF
__int64
v8;
// [xsp+78h] [xbp+0h] BYREF
if
( (unsigned
__int64
)&v8 <= *(_QWORD *)(v0 + 16) )
runtime_morestack_noctxt();
main_initFs();
v6[0] = (
__int64
)&type_string;
v6[1] = (
__int64
)&off_2D7E60;
fmt_Fprintln(&off_2D8F98, qword_45C3E8, v6, 1LL, 1LL);
// "Server started ..."
server_handle = runtime_newobject(&type_http_ServeMux);
net_http___ServeMux__Handle(server_handle, aApiCreateFile, 16LL, &off_2D9438, off_293378);
// 0x1F9A90, main.createFile
net_http___ServeMux__Handle(server_handle, aApiWriteFile, 15LL, &off_2D9438, &off_293388);
// 0x1F9E70, main.writeFile
net_http___ServeMux__Handle(server_handle, aApiRunFile, 13LL, &off_2D9438, off_293380);
// 0x1FA260, main.runFile
http_server = runtime_newobject(&type_http_Server);
http_server[1] = 5LL;
*http_server = a8080;
http_server[2] = &off_2D8E18;
if
( dword_4927C0 )
runtime_gcWriteBarrier(http_server + 3, server_handle);
else
http_server[3] = server_handle;
v2 = net_http___Server__ListenAndServe(http_server);
if
( v2 )
{
v7[2] = 0LL;
v7[3] = 0LL;
v7[0] = &type_string;
v7[1] = &off_2D7E80;
v4 = *(_QWORD *)(v2 + 8);
v7[2] = v4;
v7[3] = v3;
fmt_Fprintln(&off_2D8F98, qword_45C3E8, v7, 2LL, 2LL);
// "Error starting the server:"
}
}
void
__fastcall main_initFs()
{
__int64
v0;
// x28
__int64
v1[2];
// [xsp+30h] [xbp-58h] BYREF
__int64
v2[9];
// [xsp+40h] [xbp-48h] BYREF
__int64
v3;
// [xsp+88h] [xbp+0h] BYREF
if
( (unsigned
__int64
)&v3 <= *(_QWORD *)(v0 + 16) )
runtime_morestack_noctxt();
v2[0] = 0x400000020LL;
v2[1] = 0xC00000B704000015LL;
v2[2] = 32LL;
v2[3] = 0x11900020015LL;
v2[4] = 0xDD00010015LL;
v2[5] = 0x7FFF000000000006LL;
v2[6] = 6LL;
v1[0] = 7LL;
v1[1] = (
__int64
)v2;
syscall_Syscall(SYS_prctl, PR_SET_NO_NEW_PRIVS, 1LL);
v2[7] = (
__int64
)v1;
syscall_Syscall(SYS_prctl, PR_SET_SECCOMP, 2LL, v1);
}
void
__fastcall main_createFile(ResponseWriter_table *Response_vtable,
void
*response,
void
*request)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
if
( (unsigned
__int64
)&v31 <= *(_QWORD *)(v3 + 16) )
runtime_morestack_noctxt();
v30 = Response_vtable->net_http_(_response)_Header(response);
*(_OWORD *)v4 = net_textproto_CanonicalMIMEHeaderKey(aContentType, 12LL);
v35 = v4[0];
value = runtime_newobject(&type_string_array_1_ptr);
*((_QWORD *)value + 1) = 16LL;
*(_QWORD *)value = aApplicationJso;
v6 = (
void
**)runtime_mapassign_faststr(&type_textproto_MIMEHeader, v30, v35, v4[1]);
v6[1] = (
void
*)1;
v6[2] = (
void
*)1;
if
( dword_4927C0 )
runtime_gcWriteBarrier(v6, value);
else
*v6 = value;
v29 = Response_vtable->net_http_(_response)_Header(response);
*(_OWORD *)v7 = net_textproto_CanonicalMIMEHeaderKey(aAccessControlA_3, 27LL);
v35 = v7[0];
v8 = runtime_newobject(&type_string_array_1_ptr);
v33 = v8;
v8[1] = 1LL;
*v8 =
"*"
;
v9 = (
void
**)runtime_mapassign_faststr(&type_textproto_MIMEHeader, v29, v35, v7[1]);
v9[1] = (
void
*)1;
v9[2] = (
void
*)1;
if
( dword_4927C0 )
runtime_gcWriteBarrier(v9, v33);
else
*v9 = v33;
v37 = (main::Req *)runtime_newobject(&type_main_Req);
v28 = *((_QWORD *)request + 9);
v32 = runtime_convI2I(&type_io_Reader, *((_QWORD *)request + 8));
v10 = runtime_newobject(&type_json_Decoder);
*v10 = v32;
if
( dword_4927C0 )
runtime_gcWriteBarrier(v10 + 1, v28);
else
v10[1] = v28;
v11 = encoding_json___Decoder__Decode(v10, &type_main_Req_ptr, v37);
if
( v11 )
{
v24 = (*(
__int64
(__fastcall **)(
__int64
))(v11 + 24))(v12);
net_http_Error(Response_vtable, response, v24, v25, 400LL);
}
else
if
( v37->Size > 0x8000 || (*(_OWORD *)v14 = os_OpenFile(aDevVmfs, 9LL, 0LL, 0x180LL), v13 = v14[0], v14[1]) )
{
net_http_Error(Response_vtable, response, aInternalServer, 21LL, 500LL);
}
else
{
v31 = (_QWORD *)v14[0];
Id = v37->Id;
Size = v37->Size;
v27[1] = 0LL;
v27[3] = 0LL;
v27[4] = 0LL;
v27[0] = Id;
v27[2] = Size;
v36 = v27;
if
( v14[0] )
{
if
( (*(_BYTE *)(*(_QWORD *)v14[0] + 80LL) & 1) != 0 )
{
internal_poll___FD__SetBlocking(*(_QWORD *)v14[0]);
v13 = (
__int64
)v31;
}
v17 = *(_QWORD *)(*(_QWORD *)v13 + 16LL);
}
else
{
v17 = -1LL;
}
syscall_Syscall(SYS_ioctl, v17, 0xFF00LL, v36);
if
( v31 )
{
v26 = v18;
os___file__close(*v31);
v18 = v26;
}
if
( v18
|| (v38 = aSuccess,
v39 = 7LL,
v19 = runtime_convTstring(aSuccess),
v20 = encoding_json_Marshal(&type_main_Message, v19),
v23) )
{
net_http_Error(Response_vtable, response, aInternalServer, 21LL, 500LL);
}
else
{
Response_vtable->net_http_(_response)_Write(response, v20, v21, v22);
}
}
}
void
__fastcall main_writeFile(ResponseWriter_table *Response_vtable,
void
*response,
void
*request)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
if
( (unsigned
__int64
)&v33 <= *(_QWORD *)(v3 + 16) )
runtime_morestack_noctxt();
v32 = Response_vtable->net_http_(_response)_Header(response);
*(_OWORD *)v4 = net_textproto_CanonicalMIMEHeaderKey(aContentType, 12LL);
v37 = v4[0];
v5 = runtime_newobject(&type_string_array_1_ptr);
value = (
__int64
)v5;
v5[1] = 16LL;
*v5 = aApplicationJso;
v6 = (
__int64
*)runtime_mapassign_faststr(&type_textproto_MIMEHeader, v32, v37, v4[1]);
v6[1] = 1LL;
v6[2] = 1LL;
if
( dword_4927C0 )
runtime_gcWriteBarrier(v6, value);
else
*v6 = value;
v31 = Response_vtable->net_http_(_response)_Header(response);
*(_OWORD *)v7 = net_textproto_CanonicalMIMEHeaderKey(aAccessControlA_3, 27LL);
v37 = v7[0];
v8 = runtime_newobject(&type_string_array_1_ptr);
v35 = (
__int64
)v8;
v8[1] = 1LL;
*v8 =
"*"
;
v9 = (
__int64
*)runtime_mapassign_faststr(&type_textproto_MIMEHeader, v31, v37, v7[1]);
v9[1] = 1LL;
v9[2] = 1LL;
if
( dword_4927C0 )
runtime_gcWriteBarrier(v9, v35);
else
*v9 = v35;
v39 = (main::Req *)runtime_newobject(&type_main_Req);
v30 = *((_QWORD *)request + 9);
v34 = runtime_convI2I(&type_io_Reader, *((_QWORD *)request + 8));
v10 = runtime_newobject(&type_json_Decoder);
*v10 = v34;
if
( dword_4927C0 )
runtime_gcWriteBarrier(v10 + 1, v30);
else
v10[1] = v30;
v11 = encoding_json___Decoder__Decode(v10, &type_main_Req_ptr, v39);
if
( v11 )
{
v26 = (*(
__int64
(__fastcall **)(
__int64
))(v11 + 24))(v12);
net_http_Error(Response_vtable, response, v26, v27, 400LL);
}
else
if
( v39->Size > 8 * v39->Data.len
|| (*(_OWORD *)v14 = os_OpenFile(aDevVmfs, 9LL, 0LL, 0600LL), v13 = v14[0], v14[1]) )
{
net_http_Error(Response_vtable, response, aInternalServer, 21LL, 500LL);
}
else
{
v33 = (_QWORD *)v14[0];
v15 = v39->Id;
v16 = v39->Data.data;
v17 = v39->Size;
v18 = v39->ChooseIndex;
v29[4] = 0LL;
v29[0] = v15;
v29[1] = (
__int64
)v16;
v29[2] = v17;
v29[3] = v18;
v38 = v29;
if
( v14[0] )
{
if
( (*(_BYTE *)(*(_QWORD *)v14[0] + 80LL) & 1) != 0 )
{
internal_poll___FD__SetBlocking(*(_QWORD *)v14[0]);
v13 = (
__int64
)v33;
}
v19 = *(_QWORD *)(*(_QWORD *)v13 + 16LL);
}
else
{
v19 = -1LL;
}
syscall_Syscall(SYS_ioctl, v19, 0xFF03LL, v38);
if
( v33 )
{
v28 = v20;
os___file__close(*v33);
v20 = v28;
}
if
( v20
|| (v40 = aSuccess,
v41 = 7LL,
v21 = runtime_convTstring(aSuccess),
v22 = encoding_json_Marshal(&type_main_Message, v21),
v25) )
{
net_http_Error(Response_vtable, response, aInternalServer, 21LL, 500LL);
}
else
{
Response_vtable->net_http_(_response)_Write(response, v22, v23, v24);
}
}
}
void
__fastcall main_runFile(ResponseWriter_table *Response_vtable,
void
*response,
void
*request)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
if
( (unsigned
__int64
)&v52 < 0x18170 || (unsigned
__int64
)&v34[15] <= *(_QWORD *)(v3 + 16) )
{
v53 = Response_vtable;
v54 = response;
v55 = request;
runtime_morestack_noctxt();
}
v55 = request;
v53 = Response_vtable;
v54 = response;
v41 = Response_vtable->net_http_(_response)_Header(response);
*(_OWORD *)v4 = net_textproto_CanonicalMIMEHeaderKey(aContentType, 12LL);
v36 = v4[1];
v46 = v4[0];
v5 = runtime_newobject(&type_string_array_1_ptr);
v45 = v5;
v5[1] = 16LL;
*v5 = aApplicationJso;
v6 = (_QWORD *)runtime_mapassign_faststr(&type_textproto_MIMEHeader, v41, v46, v36);
v6[1] = 1LL;
v6[2] = 1LL;
if
( dword_4927C0 )
runtime_gcWriteBarrier(v6, v45);
else
*v6 = v45;
v40 = v53->net_http_(_response)_Header(v54);
*(_OWORD *)v7 = net_textproto_CanonicalMIMEHeaderKey(aAccessControlA_3, 27LL);
v36 = v7[1];
v46 = v7[0];
v8 = runtime_newobject(&type_string_array_1_ptr);
v44 = v8;
v8[1] = 1LL;
*v8 =
"*"
;
v9 = (_QWORD *)runtime_mapassign_faststr(&type_textproto_MIMEHeader, v40, v46, v36);
v9[1] = 1LL;
v9[2] = 1LL;
if
( dword_4927C0 )
runtime_gcWriteBarrier(v9, v44);
else
*v9 = v44;
v48 = (main::Req *)runtime_newobject(&type_main_Req);
v39 = v55[9];
v43 = runtime_convI2I(&type_io_Reader, v55[8]);
v10 = runtime_newobject(&type_json_Decoder);
*v10 = v43;
if
( dword_4927C0 )
runtime_gcWriteBarrier(v10 + 1, v39);
else
v10[1] = v39;
v11 = encoding_json___Decoder__Decode(v10, &type_main_Req_ptr, v48);
if
( v11 )
{
v32 = (*(
__int64
(__fastcall **)(
__int64
))(v11 + 24))(v12);
net_http_Error(v53, v54, v32, v33, 400LL);
}
else
{
*(_OWORD *)v14 = os_OpenFile(aDevVmfs, 9LL, 0LL, 0600LL);
v13 = v14[0];
if
( v14[1] )
goto
LABEL_31;
v42 = (_QWORD *)v14[0];
v15 = regs_and_code;
do
{
*v15 = 0LL;
v15[1] = 0LL;
v15 += 2;
}
while
( (
__int64
)v15 <= (
__int64
)&v51.len );
v16 = memory;
do
{
*v16 = 0LL;
v16[1] = 0LL;
v16 += 2;
}
while
( (
__int64
)v16 <= (
__int64
)&memory[4094] );
v51.data = memory;
v51.len = 4096LL;
v51.cap = 4096LL;
v17 = v48->Id;
v18 = v48->Size;
v19 = v48->ChooseIndex;
v37[4] = 0LL;
v37[0] = v17;
v37[1] = ®s_and_code[17];
v37[2] = v18;
v37[3] = v19;
v47 = v37;
if
( v14[0] )
{
if
( (*(_BYTE *)(*(_QWORD *)v14[0] + 80LL) & 1) != 0 )
{
internal_poll___FD__SetBlocking(*(_QWORD *)v14[0]);
v13 = (
__int64
)v42;
}
v20 = *(_QWORD *)(*(_QWORD *)v13 + 16LL);
}
else
{
v20 = -1LL;
}
syscall_Syscall(SYS_ioctl, v20, 0xFF04LL, v47);
if
( v42 )
{
v35 = v21;
os___file__close(*v42);
v21 = v35;
}
if
( v21 )
{
LABEL_31:
net_http_Error(v53, v54, aInternalServer, 21LL, 500LL);
}
else
{
v22 = v34;
v23 = regs_and_code;
do
{
v24 = *v23;
v25 = v23[1];
v23 += 2;
*v22 = v24;
v22[1] = v25;
v22 += 2;
}
while
( (
__int64
)v23 <= (
__int64
)&v51.len );
v26 = main_runVM();
v49[0] = aSuccess;
v49[1] = 7LL;
v49[2] = v26;
v27 = runtime_convT(&type_main_VmMessage, v49);
v28 = encoding_json_Marshal(&type_main_VmMessage, v27);
if
( v31 )
net_http_Error(v53, v54, aInternalServer, 21LL, 500LL);
else
v53->net_http_(_response)_Write(v54, v28, v29, v30);
}
}
}
void
__cdecl main_main()
{
__int64
v0;
// x28
_QWORD *http_server;
// x0
__int64
v2;
// x0
__int64
v3;
// x1
__int64
v4;
// x0
void
*server_handle;
// [xsp+38h] [xbp-40h]
__int64
v6[2];
// [xsp+40h] [xbp-38h] BYREF
_QWORD v7[4];
// [xsp+50h] [xbp-28h] BYREF
__int64
v8;
// [xsp+78h] [xbp+0h] BYREF
if
( (unsigned
__int64
)&v8 <= *(_QWORD *)(v0 + 16) )
runtime_morestack_noctxt();
main_initFs();
v6[0] = (
__int64
)&type_string;
v6[1] = (
__int64
)&off_2D7E60;
fmt_Fprintln(&off_2D8F98, qword_45C3E8, v6, 1LL, 1LL);
// "Server started ..."
server_handle = runtime_newobject(&type_http_ServeMux);
net_http___ServeMux__Handle(server_handle, aApiCreateFile, 16LL, &off_2D9438, off_293378);
// 0x1F9A90, main.createFile
net_http___ServeMux__Handle(server_handle, aApiWriteFile, 15LL, &off_2D9438, &off_293388);
// 0x1F9E70, main.writeFile
net_http___ServeMux__Handle(server_handle, aApiRunFile, 13LL, &off_2D9438, off_293380);
// 0x1FA260, main.runFile
http_server = runtime_newobject(&type_http_Server);
http_server[1] = 5LL;
*http_server = a8080;
http_server[2] = &off_2D8E18;
if
( dword_4927C0 )
runtime_gcWriteBarrier(http_server + 3, server_handle);
else
http_server[3] = server_handle;
v2 = net_http___Server__ListenAndServe(http_server);
if
( v2 )
{
v7[2] = 0LL;
v7[3] = 0LL;
v7[0] = &type_string;
v7[1] = &off_2D7E80;
v4 = *(_QWORD *)(v2 + 8);
v7[2] = v4;
v7[3] = v3;
fmt_Fprintln(&off_2D8F98, qword_45C3E8, v7, 2LL, 2LL);
// "Error starting the server:"
}
}
void
__fastcall main_initFs()
{
__int64
v0;
// x28
__int64
v1[2];
// [xsp+30h] [xbp-58h] BYREF
__int64
v2[9];
// [xsp+40h] [xbp-48h] BYREF
__int64
v3;
// [xsp+88h] [xbp+0h] BYREF
if
( (unsigned
__int64
)&v3 <= *(_QWORD *)(v0 + 16) )
runtime_morestack_noctxt();
v2[0] = 0x400000020LL;
v2[1] = 0xC00000B704000015LL;
v2[2] = 32LL;
v2[3] = 0x11900020015LL;
v2[4] = 0xDD00010015LL;
v2[5] = 0x7FFF000000000006LL;
v2[6] = 6LL;
v1[0] = 7LL;
v1[1] = (
__int64
)v2;
syscall_Syscall(SYS_prctl, PR_SET_NO_NEW_PRIVS, 1LL);
v2[7] = (
__int64
)v1;
syscall_Syscall(SYS_prctl, PR_SET_SECCOMP, 2LL, v1);
}
void
__fastcall main_createFile(ResponseWriter_table *Response_vtable,
void
*response,
void
*request)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
if
( (unsigned
__int64
)&v31 <= *(_QWORD *)(v3 + 16) )
runtime_morestack_noctxt();
v30 = Response_vtable->net_http_(_response)_Header(response);
*(_OWORD *)v4 = net_textproto_CanonicalMIMEHeaderKey(aContentType, 12LL);
v35 = v4[0];
value = runtime_newobject(&type_string_array_1_ptr);
*((_QWORD *)value + 1) = 16LL;
*(_QWORD *)value = aApplicationJso;
v6 = (
void
**)runtime_mapassign_faststr(&type_textproto_MIMEHeader, v30, v35, v4[1]);
v6[1] = (
void
*)1;
v6[2] = (
void
*)1;
if
( dword_4927C0 )
runtime_gcWriteBarrier(v6, value);
else
*v6 = value;
v29 = Response_vtable->net_http_(_response)_Header(response);
*(_OWORD *)v7 = net_textproto_CanonicalMIMEHeaderKey(aAccessControlA_3, 27LL);
v35 = v7[0];
v8 = runtime_newobject(&type_string_array_1_ptr);
v33 = v8;
v8[1] = 1LL;
*v8 =
"*"
;
v9 = (
void
**)runtime_mapassign_faststr(&type_textproto_MIMEHeader, v29, v35, v7[1]);
v9[1] = (
void
*)1;
v9[2] = (
void
*)1;
if
( dword_4927C0 )
runtime_gcWriteBarrier(v9, v33);
else
*v9 = v33;
v37 = (main::Req *)runtime_newobject(&type_main_Req);
v28 = *((_QWORD *)request + 9);
v32 = runtime_convI2I(&type_io_Reader, *((_QWORD *)request + 8));
v10 = runtime_newobject(&type_json_Decoder);
*v10 = v32;
if
( dword_4927C0 )
runtime_gcWriteBarrier(v10 + 1, v28);
else
v10[1] = v28;
v11 = encoding_json___Decoder__Decode(v10, &type_main_Req_ptr, v37);
if
( v11 )
{
v24 = (*(
__int64
(__fastcall **)(
__int64
))(v11 + 24))(v12);
net_http_Error(Response_vtable, response, v24, v25, 400LL);
}
else
if
( v37->Size > 0x8000 || (*(_OWORD *)v14 = os_OpenFile(aDevVmfs, 9LL, 0LL, 0x180LL), v13 = v14[0], v14[1]) )
{
net_http_Error(Response_vtable, response, aInternalServer, 21LL, 500LL);
}
else
{
v31 = (_QWORD *)v14[0];
Id = v37->Id;
Size = v37->Size;
v27[1] = 0LL;
v27[3] = 0LL;
v27[4] = 0LL;
v27[0] = Id;
v27[2] = Size;
v36 = v27;
if
( v14[0] )
{
if
( (*(_BYTE *)(*(_QWORD *)v14[0] + 80LL) & 1) != 0 )
{
internal_poll___FD__SetBlocking(*(_QWORD *)v14[0]);
v13 = (
__int64
)v31;
}
v17 = *(_QWORD *)(*(_QWORD *)v13 + 16LL);
}
else
{
v17 = -1LL;
}
syscall_Syscall(SYS_ioctl, v17, 0xFF00LL, v36);
if
( v31 )
{
v26 = v18;
os___file__close(*v31);
v18 = v26;
}
if
( v18
|| (v38 = aSuccess,
v39 = 7LL,
v19 = runtime_convTstring(aSuccess),
v20 = encoding_json_Marshal(&type_main_Message, v19),
v23) )
{
net_http_Error(Response_vtable, response, aInternalServer, 21LL, 500LL);
}
else
{
Response_vtable->net_http_(_response)_Write(response, v20, v21, v22);
}
}
}
void
__fastcall main_writeFile(ResponseWriter_table *Response_vtable,
void
*response,
void
*request)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
if
( (unsigned
__int64
)&v33 <= *(_QWORD *)(v3 + 16) )
runtime_morestack_noctxt();
v32 = Response_vtable->net_http_(_response)_Header(response);
*(_OWORD *)v4 = net_textproto_CanonicalMIMEHeaderKey(aContentType, 12LL);
v37 = v4[0];
v5 = runtime_newobject(&type_string_array_1_ptr);
value = (
__int64
)v5;
v5[1] = 16LL;
*v5 = aApplicationJso;
v6 = (
__int64
*)runtime_mapassign_faststr(&type_textproto_MIMEHeader, v32, v37, v4[1]);
v6[1] = 1LL;
v6[2] = 1LL;
if
( dword_4927C0 )
runtime_gcWriteBarrier(v6, value);
else
*v6 = value;
v31 = Response_vtable->net_http_(_response)_Header(response);
*(_OWORD *)v7 = net_textproto_CanonicalMIMEHeaderKey(aAccessControlA_3, 27LL);
v37 = v7[0];
v8 = runtime_newobject(&type_string_array_1_ptr);
v35 = (
__int64
)v8;
v8[1] = 1LL;
*v8 =
"*"
;
v9 = (
__int64
*)runtime_mapassign_faststr(&type_textproto_MIMEHeader, v31, v37, v7[1]);
v9[1] = 1LL;
v9[2] = 1LL;
if
( dword_4927C0 )
runtime_gcWriteBarrier(v9, v35);
else
*v9 = v35;
v39 = (main::Req *)runtime_newobject(&type_main_Req);
v30 = *((_QWORD *)request + 9);
v34 = runtime_convI2I(&type_io_Reader, *((_QWORD *)request + 8));
v10 = runtime_newobject(&type_json_Decoder);
*v10 = v34;
if
( dword_4927C0 )
runtime_gcWriteBarrier(v10 + 1, v30);
else
v10[1] = v30;
v11 = encoding_json___Decoder__Decode(v10, &type_main_Req_ptr, v39);
if
( v11 )
{
v26 = (*(
__int64
(__fastcall **)(
__int64
))(v11 + 24))(v12);
net_http_Error(Response_vtable, response, v26, v27, 400LL);
}
else
if
( v39->Size > 8 * v39->Data.len
|| (*(_OWORD *)v14 = os_OpenFile(aDevVmfs, 9LL, 0LL, 0600LL), v13 = v14[0], v14[1]) )
{
net_http_Error(Response_vtable, response, aInternalServer, 21LL, 500LL);
}
else
{
v33 = (_QWORD *)v14[0];
v15 = v39->Id;
v16 = v39->Data.data;
v17 = v39->Size;
v18 = v39->ChooseIndex;
v29[4] = 0LL;
v29[0] = v15;
v29[1] = (
__int64
)v16;
v29[2] = v17;
v29[3] = v18;
v38 = v29;
if
( v14[0] )
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课