errno_t SearchFlush1(flush_t* f)
{
unsigned char* pos = NULL;
char filename[MAX_PATH] = {0};
HMODULE base = GetModuleHandle( NULL );
HMODULE psapi = LoadLibrary("psapi.dll");
if (psapi == NULL)
return -1;
_GetModuleFileNameExA GetModuleFileNameEx_ =
(_GetModuleFileNameExA)GetProcAddress(psapi, "GetModuleFileNameExA");
GetModuleFileNameEx_(GetCurrentProcess(), base, filename, sizeof(filename));
MAPPED_FILE view = {0};
if( !map_file(filename, &view) ) {
return errno;
}
int pe = pe_open((const char*)view.data, view.size);
if (pe == INVALID_PE) {
unmap_file(&view);
return errno;
}
//搜索_fflush函数
/*
_fflush proc near ; CODE XREF: sub_403AD0+2A0p
.text:004E6AD9 ; output_result+A5p ...
.text:004E6AD9
.text:004E6AD9 var_1C = dword ptr -1Ch
.text:004E6AD9 ms_exc = CPPEH_RECORD ptr -18h
.text:004E6AD9 File = dword ptr 8
.text:004E6AD9
.text:004E6AD9 6A 0C push 0Ch
.text:004E6ADB 68 58 7B 51 00 push offset unk_517B58
.text:004E6AE0 E8 1F 64 00 00 call __SEH_prolog4
.text:004E6AE5 33 F6 xor esi, esi
.text:004E6AE7 39 75 08 cmp [ebp+File], esi
.text:004E6AEA 75 09 jnz short loc_4E6AF5
.text:004E6AEC 56 push esi
.text:004E6AED E8 0D FF FF FF call _flsall
.text:004E6AF2 59 pop ecx
.text:004E6AF3 EB 27 jmp short loc_4E6B1C
.text:004E6AF5 ; ---------------------------------------------------------------------------
.text:004E6AF5
.text:004E6AF5 loc_4E6AF5: ; CODE XREF: _fflush+11j
.text:004E6AF5 FF 75 08 push [ebp+File]
.text:004E6AF8 E8 94 FD FF FF call __lock_file
.text:004E6AFD 59 pop ecx
.text:004E6AFE 89 75 FC mov [ebp+ms_exc.disabled], esi
.text:004E6B01 FF 75 08 push [ebp+File] ; File
.text:004E6B04 E8 B4 FE FF FF call __fflush_nolock
.text:004E6B09 59 pop ecx
.text:004E6B0A 89 45 E4 mov [ebp+var_1C], eax
.text:004E6B0D C7 45 FC FE FF FF+ mov [ebp+ms_exc.disabled], 0FFFFFFFEh
.text:004E6B14 E8 09 00 00 00 call $LN8_1
.text:004E6B19
.text:004E6B19 $LN9_1:
.text:004E6B19 8B 45 E4 mov eax, [ebp+var_1C]
.text:004E6B1C
.text:004E6B1C loc_4E6B1C: ; CODE XREF: _fflush+1Aj
.text:004E6B1C E8 28 64 00 00 call __SEH_epilog4
.text:004E6B21 C3 retn
.text:004E6B21 _fflush endp
*/
uint8_t taget_fflush_1[] = { 0x33, 0xF6, 0x39, 0x75, 0x08, 0x75, 0x09, 0x56, 0xE8 };
char* start = (char*)view.data;
while( start < ((char*) view.data + view.size ) ) {
start = (char*)memstr((const char*)start, view.size - (start - (char*)view.data),
(const char*)taget_fflush_1, sizeof( taget_fflush_1 ) );
if( start == NULL ) {
break;
}
uint8_t target_fflush_2[] = { 0x59, 0xEB, 0x27, 0xFF, 0x75, 0x08, 0xE8 };
uint8_t target_fflush_3[] = { 0x59, 0x89, 0x75, 0xFC, 0xFF, 0x75, 0x08, 0xE8 };
if( 0 == memcmp( start + 0xD, target_fflush_2, sizeof( target_fflush_2 ))
&& 0 == memcmp( start + 0x18, target_fflush_3, sizeof( target_fflush_3 ))) {
//找到了
break;
}
start += sizeof( taget_fflush_1 );
}
if( start == NULL ) {
pe_close(pe);
unmap_file( &view );
return errno;
}
//将物理地址转换成虚拟地址
f->fflush = (_fflush_)(raw_to_rva(pe, (uint32_t)(start - 0xC - (char*)view.data)));
if( (ULONG)f->fflush == INVALID_RVA ) {
pe_close(pe);
unmap_file( &view );
return errno;
}
//搜索__lock_file函数,得到iob数据的地址
//从而可以获取到stdout
/*
.text:004E6891 56 push esi
.text:004E6892 8B 74 24 08 mov esi, [esp+4+arg_0]
.text:004E6896 B8 D0 EF 51 00 mov eax, offset __iob
.text:004E689B 3B F0 cmp esi, eax
.text:004E689D 72 22 jb short loc_4E68C1
.text:004E689F 81 FE 30 F2 51 00 cmp esi, offset unk_51F230
.text:004E68A5 77 1A ja short loc_4E68C1
.text:004E68A7 8B CE mov ecx, esi
.text:004E68A9 2B C8 sub ecx, eax
.text:004E68AB C1 F9 05 sar ecx, 5
.text:004E68AE 83 C1 10 add ecx, 10h
.text:004E68B1 51 push ecx
.text:004E68B2 E8 1B 5B 00 00 call __lock
.text:004E68B7 81 4E 0C 00 80 00+ or dword ptr [esi+0Ch], 8000h
.text:004E68BE 59 pop ecx
.text:004E68BF 5E pop esi
.text:004E68C0 C3 retn
*/
uint8_t target[] = { 0x77, 0x1A, 0x8B, 0xCE, 0x2B, 0xC8, 0xC1, 0xF9, 0x05, 0x83, 0xC1, 0x10, 0x51, 0xE8 };
pos = (uint8_t*)memstr((const char*)view.data, view.size,
(const char*)target, sizeof( target ) );
pos -= 0xE;
f->addr_iob = *(unsigned long*)pos;
pe_close(pe);
unmap_file( &view );
return true;
}
errno_t SearchFlush2(flush_t* f)
{
unsigned char* pos = NULL;
char filename[MAX_PATH] = {0};
HMODULE base = GetModuleHandle( NULL );
HMODULE psapi = LoadLibrary("psapi.dll");
if (psapi == NULL)
return -1;
_GetModuleFileNameExA GetModuleFileNameEx_ =
(_GetModuleFileNameExA)GetProcAddress(psapi, "GetModuleFileNameExA");
GetModuleFileNameEx_( GetCurrentProcess(), base, filename, sizeof( filename ) );
MAPPED_FILE view = {0};
if( !map_file( filename, &view) ) {
return errno;
}
int pe = pe_open((const char*)view.data, view.size);
if (pe == INVALID_PE) {
unmap_file(&view);
return errno;
}
/*
_fflush proc near
.text:0040772E
.text:0040772E File = dword ptr 4
.text:0040772E
.text:0040772E 56 push esi
.text:0040772F 8B 74 24 08 mov esi, [esp+4+File]
.text:00407733 85 F6 test esi, esi
.text:00407735 75 09 jnz short loc_407740
.text:00407737 56 push esi
.text:00407738 E8 B3 00 00 00 call _flsall
.text:0040773D 59 pop ecx
.text:0040773E 5E pop esi
.text:0040773F C3 retn
.text:00407740 ; ---------------------------------------------------------------------------
.text:00407740
.text:00407740 loc_407740: ; CODE XREF: _fflush+7j
.text:00407740 57 push edi
.text:00407741 56 push esi
.text:00407742 E8 44 EA FF FF call __lock_file
.text:00407747 56 push esi
.text:00407748 E8 10 00 00 00 call __fflush_lk
.text:0040774D 56 push esi
.text:0040774E 8B F8 mov edi, eax
.text:00407750 E8 88 EA FF FF call __unlock_file
.text:00407755 83 C4 0C add esp, 0Ch
.text:00407758 8B C7 mov eax, edi
.text:0040775A 5F pop edi
.text:0040775B 5E pop esi
.text:0040775C C3 retn
.text:0040775C _fflush endp
*/
unsigned char taget_fflush_1[] = { 0x56, 0x8B, 0x74, 0x24, 0x08, 0x85, 0xF6, 0x75, 0x09, 0x56, 0xE8 };
char* start = (char*)view.data;
while( start < ((char*) view.data + view.size ) ) {
start = (char*)memstr( (const char*)start, view.size - (start - (char*)view.data ),
(const char*)taget_fflush_1, sizeof( taget_fflush_1 ) );
if( start == NULL ) {
break;
}
unsigned char target_fflush_2[] = { 0x59, 0x5E, 0xC3, 0x57, 0x56, 0xE8 };
unsigned char target_fflush_3[] = { 0x56, 0x8B, 0xF8, 0xE8 };
if( 0 == memcmp( start + 0xF, target_fflush_2, sizeof( target_fflush_2 ))
&& 0 == memcmp( start + 0x1F, target_fflush_3, sizeof( target_fflush_3 ))) {
//找到了
break;
}
start += sizeof( taget_fflush_1 );
}
if( start == NULL ) {
f->addr_iob = 0;
f->fflush = NULL;
pe_close(pe);
unmap_file(&view);
return errno;
}
//将物理地址转换成虚拟地址
f->fflush = (_fflush_)(raw_to_rva(pe, (uint32_t)(start - (char*)view.data)));
if( (ULONG)f->fflush == INVALID_RVA) {
f->addr_iob = 0;
f->fflush = NULL;
pe_close(pe);
unmap_file( &view );
return errno;
}
/*
__lock_file proc near ; CODE XREF: _fclose+16p
.text:0040618B ; sub_404D03+8p ...
.text:0040618B
.text:0040618B arg_0 = dword ptr 4
.text:0040618B
.text:0040618B 8B 44 24 04 mov eax, [esp+arg_0]
.text:0040618F B9 80 49 41 00 mov ecx, __iob
.text:00406194 3B C1 cmp eax, ecx
.text:00406196 72 17 jb short loc_4061AF
.text:00406198 3D E0 4B 41 00 cmp eax, offset unk_414BE0
.text:0040619D 77 10 ja short loc_4061AF
.text:0040619F 2B C1 sub eax, ecx
.text:004061A1 C1 F8 05 sar eax, 5
.text:004061A4 83 C0 1C add eax, 1Ch
.text:004061A7 50 push eax
.text:004061A8 E8 B9 F4 FF FF call __lock
.text:004061AD 59 pop ecx
.text:004061AE C3 retn
.text:004061AF ; ---------------------------------------------------------------------------
.text:004061AF
.text:004061AF loc_4061AF: ; CODE XREF: __lock_file+Bj
.text:004061AF ; __lock_file+12j
.text:004061AF 83 C0 20 add eax, 20h
.text:004061B2 50 push eax ; lpCriticalSection
.text:004061B3 FF 15 78 10 41 00 call ds:EnterCriticalSection
.text:004061B9 C3 retn
.text:004061B9 __lock_file endp
*/
unsigned char target[] = { 0x77, 0x10, 0x2B, 0xC1, 0xC1, 0xF8, 0x05, 0x83, 0xC0, 0x1C, 0x50, 0xE8 };
//unsigned char target2[] = { 0x59, 0xC3, 0x83, 0xC0, 0x20, 0x50, 0xFF, 0x15 };
pos = (uint8_t*)memstr((const char*)view.data, view.size,
(const char*)target, sizeof(target));
//if( 0 == memcmp( pos + 0x10, target2, sizeof( target2 ) )) {
// //找到了
// break;
//}
pos -= 0xD;
f->addr_iob = *( unsigned long*)pos;
pe_close(pe);
unmap_file( &view );
return true;
}
/** Save the specified mode to file */
void history_t::save_internal()
{
/* This must be called while locked */
ASSERT_IS_LOCKED(lock);
/* Nothing to do if there's no new items */
if (new_items.empty() && deleted_items.empty())
return;
/* Compact our new items so we don't have duplicates */
this->compact_new_items();
bool ok = true;
wcstring tmp_name = history_filename(name, L".tmp");
if( ! tmp_name.empty() )
{
/* Make an LRU cache to save only the last N elements */
history_lru_cache_t lru(HISTORY_SAVE_MAX);
/* Insert old items in, from old to new. Merge them with our new items, inserting items with earlier timestamps first. */
std::vector<history_item_t>::const_iterator new_item_iter = new_items.begin();
/* Map in existing items (which may have changed out from underneath us, so don't trust our old mmap'd data) */
const char *local_mmap_start = NULL;
size_t local_mmap_size = 0;
if (map_file(name, &local_mmap_start, &local_mmap_size)) {
const history_file_type_t local_mmap_type = infer_file_type(local_mmap_start, local_mmap_size);
size_t cursor = 0;
for (;;) {
size_t offset = offset_of_next_item(local_mmap_start, local_mmap_size, local_mmap_type, &cursor, 0);
/* If we get back -1, we're done */
if (offset == (size_t)(-1))
break;
/* Try decoding an old item */
const history_item_t old_item = history_t::decode_item(local_mmap_start + offset, local_mmap_size - offset, local_mmap_type);
if (old_item.empty() || is_deleted(old_item))
{
// debug(0, L"Item is deleted : %s\n", old_item.str().c_str());
continue;
}
/* The old item may actually be more recent than our new item, if it came from another session. Insert all new items at the given index with an earlier timestamp. */
for (; new_item_iter != new_items.end(); ++new_item_iter) {
if (new_item_iter->timestamp() < old_item.timestamp()) {
/* This "new item" is in fact older. */
lru.add_item(*new_item_iter);
} else {
/* The new item is not older. */
break;
}
}
/* Now add this old item */
lru.add_item(old_item);
}
munmap((void *)local_mmap_start, local_mmap_size);
}
/* Insert any remaining new items */
for (; new_item_iter != new_items.end(); ++new_item_iter)
{
lru.add_item(*new_item_iter);
}
signal_block();
FILE *out;
if( (out=wfopen( tmp_name, "w" ) ) )
{
/* Write them out */
for (history_lru_cache_t::iterator iter = lru.begin(); iter != lru.end(); ++iter) {
const history_lru_node_t *node = *iter;
if (! node->write_yaml_to_file(out)) {
ok = false;
break;
}
}
if( fclose( out ) || !ok )
{
/*
This message does not have high enough priority to
be shown by default.
*/
debug( 2, L"Error when writing history file" );
}
else
{
wcstring new_name = history_filename(name, wcstring());
wrename(tmp_name, new_name);
}
}
signal_unblock();
/* Make sure we clear all nodes, since this doesn't happen automatically */
lru.evict_all_nodes();
/* We've saved everything, so we have no more unsaved items */
unsaved_item_count = 0;
}
if( ok )
{
/* Our history has been written to the file, so clear our state so we can re-reference the file. */
this->clear_file_state();
}
}
/**
@brief dynamic linker ops
*/
static ke_handle process_ld(struct sysreq_process_ld * req)
{
ke_handle handle;
xstring module_name;
switch (req->function_type)
{
case SYSREQ_PROCESS_OPEN_EXE:
{
struct ko_exe *image;
module_name = req->name;
if (ke_validate_user_buffer(req->context, req->context_length, true) == false)
goto ld_0_err;
if (ke_validate_user_buffer(module_name, strlen(module_name), false) == false)
goto ld_0_err;
if (ke_validate_user_buffer(&req->map_base, sizeof(req->map_base), true) == false)
goto ld_0_err;
if ((image = kp_exe_open_by_name(KP_CURRENT(), module_name, &req->map_base)) == NULL)
goto ld_0_err;
if (kp_exe_copy_private(image, req->context, req->context_length) == false)
goto ld_0_err1;
/* Create handle for this image */
handle = ke_handle_create(image);
if (handle == KE_INVALID_HANDLE)
goto ld_0_err1;
return handle;
ld_0_err1:
//TODO: close the object
ld_0_err:
return KE_INVALID_HANDLE;
}
/* Return the map base */
case SYSREQ_PROCESS_MAP_EXE_FILE:
{
struct ko_section *file_section;
module_name = req->name;
if (ke_validate_user_buffer(module_name, strlen(module_name), false) == false)
goto map_0_err;
file_section = map_file(KP_CURRENT(), module_name, KM_PROT_READ, &req->context_length);
if (file_section == NULL)
goto map_0_err;
return (ke_handle)file_section->node.start;
map_0_err:
return 0;
}
/* 删除本地map的文件 */
case SYSREQ_PROCESS_UNMAP_EXE_FILE:
{
void *base = req->name;
TRACE_UNIMPLEMENTED("");
}
break;
/* Add a new exe object, return bool */
case SYSREQ_PROCESS_ENJECT_EXE:
{
struct ko_exe *image;
void *ctx;
int ctx_size;
unsigned long size;
struct ko_section *file_section;
ctx_size = req->context_length;
ctx = req->context;
module_name = req->name;
if (ke_validate_user_buffer(ctx, ctx_size, false) == false)
goto ld_3_err;
if (ke_validate_user_buffer(module_name, strlen(module_name), false) == false)
goto ld_3_err;
if (ctx_size > kp_exe_get_context_size())
goto ld_3_err;
if ((file_section = map_file(kp_get_file_process(), module_name, KM_PROT_READ, &size)) == NULL)
goto ld_3_err;
if (kp_exe_create_from_file(module_name, file_section, ctx, NULL) == NULL)
goto ld_3_err;
return true;
ld_3_err:
return false;
}
default:
break;
}
return 0;
}
void load_case_tables(void)
{
static int initialised;
char *old_locale = NULL, *saved_locale = NULL;
int i;
if (initialised) {
return;
}
initialised = 1;
upcase_table = (smb_ucs2_t *)map_file(lib_path("upcase.dat"),
0x20000);
upcase_table_use_unmap = ( upcase_table != NULL );
lowcase_table = (smb_ucs2_t *)map_file(lib_path("lowcase.dat"),
0x20000);
lowcase_table_use_unmap = ( lowcase_table != NULL );
#ifdef HAVE_SETLOCALE
/* Get the name of the current locale. */
old_locale = setlocale(LC_ALL, NULL);
if (old_locale) {
/* Save it as it is in static storage. */
saved_locale = SMB_STRDUP(old_locale);
}
/* We set back the locale to C to get ASCII-compatible toupper/lower functions. */
setlocale(LC_ALL, "C");
#endif
/* we would like Samba to limp along even if these tables are
not available */
if (!upcase_table) {
DEBUG(1,("creating lame upcase table\n"));
upcase_table = (smb_ucs2_t *)SMB_MALLOC(0x20000);
for (i=0;i<0x10000;i++) {
smb_ucs2_t v;
SSVAL(&v, 0, i);
upcase_table[v] = i;
}
for (i=0;i<256;i++) {
smb_ucs2_t v;
SSVAL(&v, 0, UCS2_CHAR(i));
upcase_table[v] = UCS2_CHAR(islower(i)?toupper(i):i);
}
}
if (!lowcase_table) {
DEBUG(1,("creating lame lowcase table\n"));
lowcase_table = (smb_ucs2_t *)SMB_MALLOC(0x20000);
for (i=0;i<0x10000;i++) {
smb_ucs2_t v;
SSVAL(&v, 0, i);
lowcase_table[v] = i;
}
for (i=0;i<256;i++) {
smb_ucs2_t v;
SSVAL(&v, 0, UCS2_CHAR(i));
lowcase_table[v] = UCS2_CHAR(isupper(i)?tolower(i):i);
}
}
#ifdef HAVE_SETLOCALE
/* Restore the old locale. */
if (saved_locale) {
setlocale (LC_ALL, saved_locale);
SAFE_FREE(saved_locale);
}
#endif
}
void main() {
double lowlands[11];
double highlands[11];
double mountain[11];
double terrain[14];
double caveshape[8];
double cavepreturb[12];
lowlands[0] = 2;
lowlands[1] = 1;
lowlands[2] = 3;
lowlands[3] = 2;
lowlands[4] = 0.25;
lowlands[6] = 0;
lowlands[7] = 1;
lowlands[8] = 0.125;
lowlands[9] = -0.45;
lowlands[10] = 0;
highlands[0] = 0;
highlands[1] = 1;
highlands[2] = 3;
highlands[3] = 4;
highlands[4] = 2;
highlands[6] = -1;
highlands[7] = 1;
highlands[8] = 0.25;
highlands[9] = 0;
highlands[10] = 0;
mountain[0] = 2;
mountain[1] = 1;
mountain[2] = 3;
mountain[3] = 8;
mountain[4] = 1;
mountain[6] = -1;
mountain[7] = 1;
mountain[8] = 0.45;
mountain[9] = 0.15;
mountain[10] = 0.25;
terrain[0] = 0;
terrain[1] = 1;
terrain[2] = 3;
terrain[3] = 3;
terrain[4] = 0.125;
terrain[6] = 0;
terrain[7] = 1;
terrain[8] = 0;
terrain[9] = 0.55;
terrain[10] = 0.2;
terrain[11] = 0.25;
terrain[12] = 0.15;
terrain[13] = 0.5;
caveshape[0] = 1;
caveshape[1] = 1;
caveshape[2] = 3;
caveshape[3] = 1;
caveshape[4] = 4;
caveshape[6] = 0.45;
caveshape[7] = 1;
cavepreturb[0] = 0;
cavepreturb[1] = 1;
cavepreturb[2] = 3;
cavepreturb[3] = 6;
cavepreturb[4] = 3;
cavepreturb[6] = 0.5;
cavepreturb[7] = 0;
cavepreturb[8] = 1;
cavepreturb[9] = 0;
cavepreturb[10] = 0.48;
cavepreturb[11] = 0;
map_file();
//map_file2(lowlands, highlands, mountain, terrain, caveshape, cavepreturb, 800, 200, 0);
//map_test(700, 300);
//map_test2();
}
