Open PyLuaDebugger opened 2 years ago
(gdb) x /15i _PyObject_GC_Malloc[这个函数无法在fakePyObject_GC_Malloc[转跳调用oriPyObject_GC_Malloc,转跳到一个错误的地址,闪退] 0x564be0e23ac0 <_PyObject_GC_Malloc>: jmpq -0x7ffffac6(%rip) # 0x564b60e24000 _0x564be0e23ac6 <_PyObject_GC_Malloc+6>: (bad) 0x564be0e23ac7 <_PyObject_GC_Malloc+7>: (bad) 0x564be0e23ac8 <_PyObject_GCMalloc+8>: (bad) 0x564be0e23ac9 <_PyObject_GC_Malloc+9>: jg 0x564be0e23b13 <_PyObject_GC_Malloc+83> 0x564be0e23acb <_PyObject_GC_Malloc+11>: cmp %eax,%edi 0x564be0e23acd <_PyObject_GC_Malloc+13>: ja 0x564be0e23b36 <_PyObject_GC_Malloc+118> 0x564be0e23acf <_PyObject_GC_Malloc+15>: push %rbp 0x564be0e23ad0 <_PyObject_GC_Malloc+16>: add $0x20,%rdi 0x564be0e23ad4 <_PyObject_GC_Malloc+20>: push %rbx 0x564be0e23ad5 <_PyObject_GC_Malloc+21>: sub $0x8,%rsp 0x564be0e23ad9 <_PyObject_GC_Malloc+25>: callq 0x564be0d90ef0 0x564be0e23ade <_PyObject_GC_Malloc+30>: mov %rax,%rbx 0x564be0e23ae1 <_PyObject_GC_Malloc+33>: test %rax,%rax 0x564be0e23ae4 <_PyObject_GC_Malloc+36>: je 0x564be0e23b30 <_PyObject_GC_Malloc+112> (gdb) x /15i PyEval_RestoreThread[这个函数可以正常在fake_PyEval_RestoreThread转跳调用ori_PyEval_RestoreThread] 0x564be0dde630 : jmpq -0x7ffba62e(%rip) # 0x564b60e24008 0x564be0dde636 <PyEval_RestoreThread+6>: mov %rdi,%rbx 0x564be0dde639 <PyEval_RestoreThread+9>: sub $0x8,%rsp 0x564be0dde63d <PyEval_RestoreThread+13>: test %rdi,%rdi 0x564be0dde640 <PyEval_RestoreThread+16>: je 0x564be0dde680 <PyEval_RestoreThread+80> 0x564be0dde642 <PyEval_RestoreThread+18>: mov 0x13b7e7(%rip),%rbp # 0x564be0f19e30 0x564be0dde649 <PyEval_RestoreThread+25>: test %rbp,%rbp 0x564be0dde64c <PyEval_RestoreThread+28>: je 0x564be0dde66a <PyEval_RestoreThread+58> 0x564be0dde64e <PyEval_RestoreThread+30>: callq 0x564be0d500c0 __errno_location@plt 0x564be0dde653 <PyEval_RestoreThread+35>: mov $0x1,%esi 0x564be0dde658 <PyEval_RestoreThread+40>: mov %rbp,%rdi 0x564be0dde65b <PyEval_RestoreThread+43>: mov (%rax),%r13d 0x564be0dde65e <PyEval_RestoreThread+46>: mov %rax,%r12 0x564be0dde661 <PyEval_RestoreThread+49>: callq 0x564be0e207f0 0x564be0dde666 <PyEval_RestoreThread+54>: mov %r13d,(%r12)
下面是没有hook的 (gdb) x /15i _PyObject_GC_Malloc 0x564b73f55ac0 <_PyObject_GC_Malloc>: movabs $0x7fffffffffffffdf,%rax 0x564b73f55aca <_PyObject_GC_Malloc+10>: cmp %rax,%rdi 0x564b73f55acd <_PyObject_GC_Malloc+13>: ja 0x564b73f55b36 <_PyObject_GC_Malloc+118> 0x564b73f55acf <_PyObject_GC_Malloc+15>: push %rbp 0x564b73f55ad0 <_PyObject_GC_Malloc+16>: add $0x20,%rdi 0x564b73f55ad4 <_PyObject_GC_Malloc+20>: push %rbx 0x564b73f55ad5 <_PyObject_GC_Malloc+21>: sub $0x8,%rsp 0x564b73f55ad9 <_PyObject_GC_Malloc+25>: callq 0x564b73ec2ef0 0x564b73f55ade <_PyObject_GC_Malloc+30>: mov %rax,%rbx 0x564b73f55ae1 <_PyObject_GC_Malloc+33>: test %rax,%rax 0x564b73f55ae4 <_PyObject_GC_Malloc+36>: je 0x564b73f55b30 <_PyObject_GC_Malloc+112> 0x564b73f55ae6 <_PyObject_GC_Malloc+38>: movq $0xfffffffffffffffe,0x10(%rax) 0x564b73f55aee <_PyObject_GC_Malloc+46>: mov 0xc12d0(%rip),%eax # 0x564b74016dc4 <generations+36> 0x564b73f55af4 <_PyObject_GC_Malloc+52>: mov 0xc12c6(%rip),%edx # 0x564b74016dc0 <generations+32> 0x564b73f55afa <_PyObject_GC_Malloc+58>: add $0x1,%eax
(gdb) x /150i PyEval_RestoreThread 0x564b73f10630 : push %r13 0x564b73f10632 <PyEval_RestoreThread+2>: push %r12 0x564b73f10634 <PyEval_RestoreThread+4>: push %rbp 0x564b73f10635 <PyEval_RestoreThread+5>: push %rbx 0x564b73f10636 <PyEval_RestoreThread+6>: mov %rdi,%rbx 0x564b73f10639 <PyEval_RestoreThread+9>: sub $0x8,%rsp 0x564b73f1063d <PyEval_RestoreThread+13>: test %rdi,%rdi 0x564b73f10640 <PyEval_RestoreThread+16>: je 0x564b73f10680 <PyEval_RestoreThread+80> 0x564b73f10642 <PyEval_RestoreThread+18>: mov 0x13b7e7(%rip),%rbp # 0x564b7404be30 0x564b73f10649 <PyEval_RestoreThread+25>: test %rbp,%rbp 0x564b73f1064c <PyEval_RestoreThread+28>: je 0x564b73f1066a <PyEval_RestoreThread+58> 0x564b73f1064e <PyEval_RestoreThread+30>: callq 0x564b73e820c0 __errno_location@plt 0x564b73f10653 <PyEval_RestoreThread+35>: mov $0x1,%esi 0x564b73f10658 <PyEval_RestoreThread+40>: mov %rbp,%rdi 0x564b73f1065b <PyEval_RestoreThread+43>: mov (%rax),%r13d
(gdb) x /15i _PyObject_GC_Malloc[这个函数无法在fakePyObject_GC_Malloc[转跳调用oriPyObject_GC_Malloc,转跳到一个错误的地址,闪退] 0x564be0e23ac0 <_PyObject_GC_Malloc>: jmpq -0x7ffffac6(%rip) # 0x564b60e24000 _0x564be0e23ac6 <_PyObject_GC_Malloc+6>: (bad) 0x564be0e23ac7 <_PyObject_GC_Malloc+7>: (bad) 0x564be0e23ac8 <_PyObject_GCMalloc+8>: (bad) 0x564be0e23ac9 <_PyObject_GC_Malloc+9>: jg 0x564be0e23b13 <_PyObject_GC_Malloc+83> 0x564be0e23acb <_PyObject_GC_Malloc+11>: cmp %eax,%edi 0x564be0e23acd <_PyObject_GC_Malloc+13>: ja 0x564be0e23b36 <_PyObject_GC_Malloc+118> 0x564be0e23acf <_PyObject_GC_Malloc+15>: push %rbp 0x564be0e23ad0 <_PyObject_GC_Malloc+16>: add $0x20,%rdi 0x564be0e23ad4 <_PyObject_GC_Malloc+20>: push %rbx 0x564be0e23ad5 <_PyObject_GC_Malloc+21>: sub $0x8,%rsp 0x564be0e23ad9 <_PyObject_GC_Malloc+25>: callq 0x564be0d90ef0
0x564be0e23ade <_PyObject_GC_Malloc+30>: mov %rax,%rbx
0x564be0e23ae1 <_PyObject_GC_Malloc+33>: test %rax,%rax
0x564be0e23ae4 <_PyObject_GC_Malloc+36>: je 0x564be0e23b30 <_PyObject_GC_Malloc+112>
(gdb) x /15i PyEval_RestoreThread[这个函数可以正常在fake_PyEval_RestoreThread转跳调用ori_PyEval_RestoreThread]
0x564be0dde630 : jmpq -0x7ffba62e(%rip) # 0x564b60e24008
0x564be0dde636 <PyEval_RestoreThread+6>: mov %rdi,%rbx
0x564be0dde639 <PyEval_RestoreThread+9>: sub $0x8,%rsp
0x564be0dde63d <PyEval_RestoreThread+13>: test %rdi,%rdi
0x564be0dde640 <PyEval_RestoreThread+16>: je 0x564be0dde680 <PyEval_RestoreThread+80>
0x564be0dde642 <PyEval_RestoreThread+18>: mov 0x13b7e7(%rip),%rbp # 0x564be0f19e30
0x564be0dde649 <PyEval_RestoreThread+25>: test %rbp,%rbp
0x564be0dde64c <PyEval_RestoreThread+28>: je 0x564be0dde66a <PyEval_RestoreThread+58>
0x564be0dde64e <PyEval_RestoreThread+30>: callq 0x564be0d500c0 __errno_location@plt
0x564be0dde653 <PyEval_RestoreThread+35>: mov $0x1,%esi
0x564be0dde658 <PyEval_RestoreThread+40>: mov %rbp,%rdi
0x564be0dde65b <PyEval_RestoreThread+43>: mov (%rax),%r13d
0x564be0dde65e <PyEval_RestoreThread+46>: mov %rax,%r12
0x564be0dde661 <PyEval_RestoreThread+49>: callq 0x564be0e207f0
0x564be0dde666 <PyEval_RestoreThread+54>: mov %r13d,(%r12)
下面是没有hook的 (gdb) x /15i _PyObject_GC_Malloc 0x564b73f55ac0 <_PyObject_GC_Malloc>: movabs $0x7fffffffffffffdf,%rax 0x564b73f55aca <_PyObject_GC_Malloc+10>: cmp %rax,%rdi 0x564b73f55acd <_PyObject_GC_Malloc+13>: ja 0x564b73f55b36 <_PyObject_GC_Malloc+118> 0x564b73f55acf <_PyObject_GC_Malloc+15>: push %rbp 0x564b73f55ad0 <_PyObject_GC_Malloc+16>: add $0x20,%rdi 0x564b73f55ad4 <_PyObject_GC_Malloc+20>: push %rbx 0x564b73f55ad5 <_PyObject_GC_Malloc+21>: sub $0x8,%rsp 0x564b73f55ad9 <_PyObject_GC_Malloc+25>: callq 0x564b73ec2ef0
0x564b73f55ade <_PyObject_GC_Malloc+30>: mov %rax,%rbx
0x564b73f55ae1 <_PyObject_GC_Malloc+33>: test %rax,%rax
0x564b73f55ae4 <_PyObject_GC_Malloc+36>: je 0x564b73f55b30 <_PyObject_GC_Malloc+112>
0x564b73f55ae6 <_PyObject_GC_Malloc+38>: movq $0xfffffffffffffffe,0x10(%rax)
0x564b73f55aee <_PyObject_GC_Malloc+46>: mov 0xc12d0(%rip),%eax # 0x564b74016dc4 <generations+36>
0x564b73f55af4 <_PyObject_GC_Malloc+52>: mov 0xc12c6(%rip),%edx # 0x564b74016dc0 <generations+32>
0x564b73f55afa <_PyObject_GC_Malloc+58>: add $0x1,%eax
(gdb) x /150i PyEval_RestoreThread 0x564b73f10630: push %r13
0x564b73f10632 <PyEval_RestoreThread+2>: push %r12
0x564b73f10634 <PyEval_RestoreThread+4>: push %rbp
0x564b73f10635 <PyEval_RestoreThread+5>: push %rbx
0x564b73f10636 <PyEval_RestoreThread+6>: mov %rdi,%rbx
0x564b73f10639 <PyEval_RestoreThread+9>: sub $0x8,%rsp
0x564b73f1063d <PyEval_RestoreThread+13>: test %rdi,%rdi
0x564b73f10640 <PyEval_RestoreThread+16>: je 0x564b73f10680 <PyEval_RestoreThread+80>
0x564b73f10642 <PyEval_RestoreThread+18>: mov 0x13b7e7(%rip),%rbp # 0x564b7404be30
0x564b73f10649 <PyEval_RestoreThread+25>: test %rbp,%rbp
0x564b73f1064c <PyEval_RestoreThread+28>: je 0x564b73f1066a <PyEval_RestoreThread+58>
0x564b73f1064e <PyEval_RestoreThread+30>: callq 0x564b73e820c0 __errno_location@plt
0x564b73f10653 <PyEval_RestoreThread+35>: mov $0x1,%esi
0x564b73f10658 <PyEval_RestoreThread+40>: mov %rbp,%rdi
0x564b73f1065b <PyEval_RestoreThread+43>: mov (%rax),%r13d