I try to profile my program myprog using perf, and here's what I get:
#
# Overhead Symbol Shared Object
# ........ ................................................................... .....................................
#
7.71% 0x743a l [.] list_iter_next myprog
I use objdump -D to see which instruction the IP refers to.
The thing is, the 0x743a IP shown here is in a .debug section of the myprog.
$ grep -ne ' 743a' dump
418233: 743a: 65 gs
429445: 743a: 40 00 00 add %al,(%rax)
The hex value provided by perf could match several places in the dump, as shown by:
$ grep -ne 743a dump
7973: 40743a: 48 8b 00 mov (%rax),%rax
72861: 44743a: 66 0f f8 c8 psubb %xmm0,%xmm1
87650: 45743a: 41 d3 e9 shr %cl,%r9d
The correct IP is 0x40743a, as shown here:
$ grep -n4 40743a dump
7969-0000000000407430 <list_iter_next>:
7970- 407430: 48 8b 07 mov (%rdi),%rax
7971- 407433: 48 8b 40 08 mov 0x8(%rax),%rax
7972- 407437: 48 89 07 mov %rax,(%rdi)
7973: 40743a: 48 8b 00 mov (%rax),%rax
7974- 40743d: c3 retq
7975- 40743e: 66 90 xchg %ax,%ax
7976-
Does anybody know what's going on?
Have you compiled your program with debug options (-g with gcc)? It seems that debug information is missing, as explained in the perf tutorial at : https://perf.wiki.kernel.org/index.php/Tutorial
When the symbol is printed as an hexadecimal address, this is because the ELF image does not have a symbol table. This happens when binaries are stripped.
About the symbol value you get, I don't know where it comes from and if we can interpret it like you did.
Related
I want to convert a BPF assembly into executable.
For example, I got
entrypoint:
div32 r1, 1768515945
exit
Can I get its executable? It should be loaded and executed by the bpf vm.
Thanks.
Each instruction is 64 bits. This should assemble to:
00: 69 69 69 69 00 00 01 34
08: 00 00 00 00 00 00 00 90
The first instruction is from BPF_DIV | BPF_K | BPF_ALU | (1 << 8) | (1768515945 << 32). The second is just BPF_EXIT. For more information, see the kernel documentation. Note that exit expects r0 to contain a return code, but you haven't explicitly set any. It should default to 0.
I have a simple uint8_t* IP packet buffer like
45 0 0 34 0 0 40 0 40 6 6B 53 C0 A8 FF 6 AC D9 1C EE 0 4D 0 50 0 0 0 0 0 0 0 0 80 2 FD E8 A5 20 0 0 2 4 5 B4 3 3 0 4 2 0 0 0
I want to use Wireshark to view it. I saw that I can import an hex dump on Wireshark, but how can I save this buffer as a hex dump for wireshark to open?
Is it possible to concatenate lots of IP packets together?
If you can modify the data to match the format expected by text2pcap, you can use that tool to convert the data into a pcap (or pcapng) file. For example:
Here's the data you provided in a format acceptable to text2pcap:
0000 45 00 00 34 00 00 40 00 40 06 6B 53 C0 A8 FF 06
0010 AC D9 1C EE 00 4D 00 50 00 00 00 00 00 00 00 00
0020 80 02 FD E8 A5 20 00 00 02 04 05 B4 03 03 00 04
0030 02 00 00 00
0034
Since this appears to start with an IPv4 header, you can generate a pcap file with a link layer header type set to LINKTYPE_RAW, the value of which is obtained from https://www.tcpdump.org/linktypes.html, as referenced in the text2pcap man page. Alternatively, you can choose to add a dummy Ethernet header to the data, in which case you can omit the link layer header type option as LINKTYPE_ETHERNET is the default value; however you do need to add the option to add the dummy Ethernet header. Here I demonstrate both methods:
Method 1: Raw IP
text2pcap -l 101 file.hex file.pcap
Method 2: Add dummy Ethernet header
text2pcap -e 0x0800 file.hex file.pcap
The text2pcap tool is capable of processing any arbitrary number of packets from a file, but note the required format from the man page, i.e. "Note the last byte must either be followed by the expected next offset value as in the example above or a space or a line-end character(s)."
By the way, Wireshark itself is also capable of converting the hex data into a pcap file as well using the File -> Import from Hex Dump... feature, although Wireshark will always import the hex data as a pcapng file. You can choose to save the file as pcap though, but there'll always be that intermediate pcapng file generated. Wireshark should just provide a checkbox to allow the user to select which format to use, just like text2pcap does. I have filed Wireshark Bug 16724 to address this.
Suppose I have an ELF binary prog and suppose objdump -d prog produces output along the following lines [snippet]:
0000000000400601 <.cstart_c941>:
400601: eb 01 jmp 400604 <.end_c941>
0000000000400603 <.cslot_c941>:
400603: 84 .byte 0x84
0000000000400604 <.end_c941>:
400604: 48 81 ec 80 00 00 00 sub $0x80,%rsp
40060b: 50 push %rax
40060c: 53 push %rbx
40060d: 56 push %rsi
40060e: 48 31 c0 xor %rax,%rax
400611: 48 c7 c6 41 06 40 00 mov $0x400641,%rsi
What I need is the file offset corresponding to .cslot_c941, since I need to modify the byte at this position.
How would I accomplish this task?
You can get OBJDUMP to dump the file offsets by using the -F. From the OBJDUMP documentation:
objdump
..snip..
[-F|--file-offsets]
..snip..
Try using objdump -DF prog. You should see each label listed with the file offset with information like:
0000000000400601 <.cstart_c941>: (File Offset: 0xXXXXXXXX)
0xXXXXXXXX should be the file offset of that label.
I want to inflate HTML webpages. I am using zlib functions
inflateInit2(&zstream,15+32);
and then
inflate(&zstream,Z_SYNC_FLUSH);
It works for lots of webpages correctly but for "www.tabnak.ir" it does not work correctly.
invalid distance too far back is the ERROR I got for this website.
This webpage is also gzip and utf8.
How should I deal with that?
This is For Bing.com which works Fine
1f 8b 08 00 ef 8c 77 56 00 ff ec 5a eb 73 9c 46
12 ff 9e aa fc 0f 04 d5 9d ad 78 1f c0 3e b4 0b
96 52 b2 24 2b ba 73 1c 9d 2d 27 b9 8a af b6 06
This is For tabnak.ir which results in invalid distance too far back Error
1f 8b 08 00 00 00 00 00 00 03 ed fd db 73 5b d7
99 2f 8a 3e ab ab d6 ff 30 ac ae ac d8 3b 82 80
39 71 a7 6d 55 39 89 7b 75 f7 4a d2 7d 92 74 af
The zlib/gzip format performs compression saying things like "The next 22 bytes are the same as the 22 bytes we saw 1013 bytes ago.
In this case the record describing the repetition, is from before the size of the 'window'.
Given you have specified a maximum size of window, the likelihood, is that the data format has changed a bit, or the data you received is not the same as was sent.
Some things to check.
You are using the latest zlib library.
Standard utilities (e.g. gunzip, winzip) can decompress the data.
The data you are getting is not being mangled by a text filter ('rb' vs 'rt')
If that hasn't helped, try walking through the data and understanding what the failure in gzip is.
It would seem that the file you are trying to "inflate" (decompress using zlib) is not a valid zip file. Since bing.com is most likely not a zlib file, it might be pure coincidence that you found something quite early that prevented decompression.
I am trying to use Visual Leak Detector in Visual Studio 2008, here is an example of the output I get:
Detected memory leaks!
Dumping objects ->
{204} normal block at 0x036C1568, 1920 bytes long.
Data: < > 80 08 AB 03 00 01 AB 03 80 F9 AA 03 00 F2 AA 03
{203} normal block at 0x0372CC68, 40 bytes long.
Data: <( > 28 00 00 00 80 02 00 00 E0 01 00 00 01 00 18 00
{202} normal block at 0x0372CC00, 44 bytes long.
Data: << E > 3C 16 45 00 80 02 00 00 E0 01 00 00 01 00 00 00
The user's guide says to click on any line to jump to the corresponding file/line of code ; I tried clicking on every line but nothing happens! What am I missing?
Did you compile your code with optimization off and debug information on? Without this, it's unlikely to be able to link the addresses to your actual source code.
It could also be that the leak is occurring in code for which it can't find the source (for example an included library).
You should use deleaker. it must help you.