leonwxqian 发布的文章

Linux下奇怪库破坏导致一大堆程序启动失败一例

给开发板装了一个postgre,可是启动的时候问题多多

Options marked [*] produce a lot of output - pipe it through `less' or `more' !
pi@BLASTN2 ~ :( $ sudo dpkg --configure postgresql-9.1 postgre-contrib-9.1
Setting up postgresql-9.1 (9.1.14-0+deb7u1) ...
[....] Starting PostgreSQL 9.1 database server: main[....] The PostgreSQL server failed to start. Please check the log output: 2014-11-13 18:16:55 CST LOG: could not bind IPv6 socket: Cannot assign requested address 2014-11-13 18:16:55 CST HINT: Is another postmaster already running on port 5432? If not, wait a few seconds and retry. 2014-11-13 18:16:55 CST WARNING: could not create listen socket for "localhost" 2014-11-13 18:16:55 CST FATAL: cou[FAILt create any TCP/IP sockets ... failed!
 failed!
invoke-rc.d: initscript postgresql, action "start" failed.
dpkg: error processing postgresql-9.1 (--configure):
 subprocess installed post-installation script returned error exit status 1
dpkg: error processing postgre-contrib-9.1 (--configure):
 no package named `postgre-contrib-9.1' is installed, cannot configure
Errors were encountered while processing:
 postgresql-9.1
 postgre-contrib-9.1
pi@BLASTN2 ~ :( $ ps aux|grep postgre
pi       23286  0.0  0.0   3648   716 pts/0    S+   18:19   0:00 grep --colour=auto postgre

提示5432可能被占用,但是仔细看了看端口也没被占用啊

pi@BLASTN2 ~ :( $ sudo netstat -apn|
......
unix  3      [ ]         STREAM     CONNECTED     3639     2266/dbus-daemon    /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     3638     2400/gdm3           
unix  3      [ ]         STREAM     CONNECTED     3626     2266/dbus-daemon    /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     3625     2349/NetworkManager 
unix  3      [ ]         STREAM     CONNECTED     3614     2266/dbus-daemon    /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     3613     2354/bluetoothd     
unix  3      [ ]         STREAM     CONNECTED     3610     2266/dbus-daemon    /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     2914     2349/NetworkManager 
unix  3      [ ]         STREAM     CONNECTED     3556     2266/dbus-daemon    /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     3555     2303/avahi-daemon:  
unix  3      [ ]         STREAM     CONNECTED     3549     2304/avahi-daemon:  
unix  3      [ ]         STREAM     CONNECTED     3548     2303/avahi-daemon:  
unix  3      [ ]         STREAM     CONNECTED     2872     2266/dbus-daemon    
unix  3      [ ]         STREAM     CONNECTED     2871     2266/dbus-daemon    
unix  3      [ ]         DGRAM                    484      199/udevd           
unix  3      [ ]         DGRAM                    483      199/udevd           
pi@BLASTN2 ~ $ sudo netstat -apn>>~/temp.log

看看log,然后试试看ping 127.0.0.1,what's the fuck

pi@BLASTN2 ~ $ ping localhost
PING localhost (127.0.0.1) 56(84) bytes of data.

^C
--- localhost ping statistics ---
9 packets transmitted, 0 received, 100% packet loss, time 8005ms

pi@BLASTN2 ~ :( $ ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
^C
--- 127.0.0.1 ping statistics ---
61 packets transmitted, 0 received, 100% packet loss, time 60001ms

pi@BLASTN2 ~ :( $ sudo ifconfig -a
eth0      Link encap:Ethernet  HWaddr 02:41:0a:81:93:a9  
          inet addr:192.168.0.109  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::41:aff:fe81:93a9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:247688 errors:0 dropped:0 overruns:0 frame:0
          TX packets:387753 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:80379923 (76.6 MiB)  TX bytes:406363850 (387.5 MiB)
          Interrupt:117 Base address:0xc000 

lo        Link encap:Local Loopback  
          LOOPBACK  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

tunl0     Link encap:IPIP Tunnel  HWaddr   
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

解决方案:
f1.png

保存之后,

$ sudo ifconfig eth0 down
$ sudo ifconfig eth0 up

或者干脆直接

$ sudo reboot

再来ping一次,可以ping通。

pi@BLASTN2 ~ :( $ file /usr/lib/arm-linux-gnueabihf/libxml2.so.2
/usr/lib/arm-linux-gnueabihf/libxml2.so.2: symbolic link to `libxml2.so.2.8.0'
pi@BLASTN2 ~ $ file /usr/lib/arm-linux-gnueabihf/libxml2.so.2.8.0
/usr/lib/arm-linux-gnueabihf/libxml2.so.2.8.0: ELF 32-bit LSB shared object, ARM, version 1 (SYSV), dynamically linked, BuildID[sha1]=0x44c6070a41ab03bd54581e371d529871ebf91e77, stripped
pi@BLASTN2 ~ $ 
pi@BLASTN2 ~ :( $ ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_req=1 ttl=64 time=0.155 ms
64 bytes from 127.0.0.1: icmp_req=2 ttl=64 time=0.101 ms
64 bytes from 127.0.0.1: icmp_req=3 ttl=64 time=0.113 ms
^C
--- 127.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.101/0.123/0.155/0.023 ms

可是奇葩的是obconf失败了,所有窗口都没标题栏了。。。一看提示

error while loading shared libraries: /lib/libxml2.so.2: invalid ELF header

and

(obconf:3513): GdkPixbuf-CRITICAL **: gdk_pixbuf_copy_area: assertion `src_pixbuf != NULL' failed
/lib/arm-linux-gnueabihf/libgcrypt.so.11: invalid ELF header
Failed to load module: /usr/lib/arm-linux-gnueabihf/gio/modules/libgiognutls.so
pi@BLASTN2 ~ $ sudo apt-get install libgcrypt-dev --reinstall
[sudo] password for pi: 
^Cpi@BLASTN2 ~ :( $ sudo apt-get install libgcrypt-dev --reinstall
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Note, selecting 'libgcrypt11-dev' instead of 'libgcrypt-dev'
The following packages were automatically installed and are no longer required:
  libmozjs24d xulrunner-24.0
Use 'apt-get autoremove' to remove them.
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 0 B/383 kB of archives.
After this operation, 0 B of additional disk space will be used.
(Reading database ... 186234 files and directories currently installed.)
Preparing to replace libgcrypt11-dev 1.5.0-5+deb7u2 (using .../libgcrypt11-dev_1.5.0-5+deb7u2_armhf.deb) ...
Unpacking replacement libgcrypt11-dev ...
Processing triggers for man-db ...
Setting up libgcrypt11-dev (1.5.0-5+deb7u2) ...

dafuq?啥玩意儿,file一下结果居然是ISO-8859-TEXT,我操,说好的库呢,干脆重装一次得了,

$ sudo apt-get -f install obconf
$ sudo apt-get install obconf --reinstall
$ sudo reboot

ok, done。其实猜测是因为之前用了错的opera源导致的,这个一般都是32、64以及arm的库弄混了的原因。待会儿清个源。

然后,虽然这个没问题了,但是libcrypt.so.11还是有同样的问题,浏览器起不了,reinstall libgcrypt11-dev无果,拷贝debug下的更是不行,直接报segment fault。

pi@BLASTN2 ~ :( $ netsurf-gtk
netsurf-gtk: error while loading shared libraries: /lib/arm-linux-gnueabihf/libgcrypt.so.11: invalid ELF header
pi@BLASTN2 ~ :( $ file /lib/arm-linux-gnueabihf/libgcrypt.so.11
/lib/arm-linux-gnueabihf/libgcrypt.so.11: symbolic link to `libgcrypt.so.11.7.0'
pi@BLASTN2 ~ $ file /lib/arm-linux-gnueabihf/libgcrypt.so.11.7.0
/lib/arm-linux-gnueabihf/libgcrypt.so.11.7.0: ISO-8859 text, with very long lines, with no line terminators
pi@BLASTN2 ~ $ 

只好祭出大杀器。
f2.png

附上so文件,用自带的传输功能传的,信得过就下吧,自己改名回去:
http://www.nul.pw/usr/uploads/2014/12/595411591.png

注意,如果你缺这个文件,连wget curl都是启动不了的,如果是远程机器,自求多福如果开了啥samba sftp ftp之类的还可以一拼= =,物理机器就靠u盘吧。
f3.png

修完了真是开心啊,postgre?去你的,不装了- -
f4.png

360压缩,看来又是个粗制滥造的软件

不下两分钟已经弄崩四五次了,出现这么个栈调用,大家也都知道是什么情况了吧:

0:000> kvn
 # ChildEBP RetAddr  Args to Child              
00 00128688 7c92de5c 7c801e3a ffffffff c0000409 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
01 0012868c 7c801e3a ffffffff c0000409 001289d4 ntdll!ZwTerminateProcess+0xc (FPO: [2,0,0])
02 0012869c 004c9453 ffffffff c0000409 310a3291 kernel32!TerminateProcess+0x20 (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
03 001289d4 004712e9 0000011e 0324028a 00000109 360zip+0xc9453

wps这么一推送,又是多少事故

打开wps就崩溃,看看啥原因呗,为了防止被它的异常上报程序捕获,首先先挂上调试器

(1e60.1a6c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for D:\Program Files (x86)\Kingsoft\WPS Office\9.1.0.4867\office6\officespace.DLL - 
eax=00000000 ebx=00000011 ecx=0036ee80 edx=003428c3 esi=776a8ad0 edi=00000000
eip=7748f3c4 esp=09b3fd00 ebp=09b3fd0c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
officespace!KActiveLoginInfoCache::vipUrl+0x9e8:
7748f3c4 8b480c          mov     ecx,dword ptr [eax+0Ch] ds:002b:0000000c=????????

看看栈

0:017> kvn
 # ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 09b3fd0c 7749235b acc53f64 00000000 09b3fd8c officespace!KActiveLoginInfoCache::vipUrl+0x9e8
01 09b3fd40 77491f93 09b3fd5c acc53f74 06b50300 officespace!KActiveLoginInfoCache::vipUrl+0x397f
02 09b3fd74 774996cf acc53f9c 06b50220 06b50300 officespace!KActiveLoginInfoCache::vipUrl+0x35b7
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for D:\Program Files (x86)\Kingsoft\WPS Office\9.1.0.4867\office6\QtCore4.dll - 
03 09b3fdb8 668fb948 00000000 00000000 09b3fe00 officespace!KActiveLoginInfoCache::vipUrl+0xacf3
04 09b3fdc8 57b7c556 06b50300 acb26a30 00000000 QtCore4!QThread::setPriority+0x25d
05 09b3fe00 57b7c600 00000000 09b3fe18 76a0338a MSVCR100!_endthreadex+0x3f (FPO: [Non-Fpo])
06 09b3fe0c 76a0338a 06cc4178 09b3fe58 771c9f72 MSVCR100!_endthreadex+0xce (FPO: [Non-Fpo])
07 09b3fe18 771c9f72 06cc4178 2660fcd4 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
08 09b3fe58 771c9f45 57b7c59c 06cc4178 00000000 ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
09 09b3fe70 00000000 57b7c59c 06cc4178 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

看看出错的东西是哪儿来的吧

7748f3a7 55              push    ebp
7748f3a8 8bec            mov     ebp,esp
7748f3aa 51              push    ecx
7748f3ab 53              push    ebx
7748f3ac 57              push    edi
7748f3ad 8d45fc          lea     eax,[ebp-4]
7748f3b0 50              push    eax
7748f3b1 ff1518e45b77    call    dword ptr [officespace!KQingClient::trUtf8+0x7a638 (775be418)]
7748f3b7 8d4dfc          lea     ecx,[ebp-4]
7748f3ba ff151ce45b77    call    dword ptr [officespace!KQingClient::trUtf8+0x7a63c (775be41c)]
7748f3c0 8bd8            mov     ebx,eax
7748f3c2 8b06            mov     eax,dword ptr [esi]
0:017> ?(.-7748f3a7)
Evaluate expression: 29 = 0000001d
0:017> r
eax=00000000 ebx=00000011 ecx=0036ee80 edx=003428c3 esi=776a8ad0 edi=00000000
eip=7748f3c4 esp=09b3fd00 ebp=09b3fd0c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
officespace!KActiveLoginInfoCache::vipUrl+0x9e8:
7748f3c4 8b480c          mov     ecx,dword ptr [eax+0Ch] ds:002b:0000000c=????????
0:017> ?(0x9e8-0x1d)
Evaluate expression: 2507 = 000009cb
0:017> x officespace!KActiveLoginInfoCache::vipUrl+000009cb

那就是这里了,断下重启,

Breakpoint 0 hit
eax=0b1cf83c ebx=00000000 ecx=0b1cf864 edx=00d40174 esi=05fc8ad0 edi=00000000
eip=05daf3a7 esp=0b1cf818 ebp=0b1cf848 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
officespace!KActiveLoginInfoCache::vipUrl+0x9cb:
05daf3a7 55              push    ebp
0:017> dd esi
05fc8ad0  00000000 00000001 05f5c5e4 06fefc48
05fc8ae0  00000000 00000000 00000000 66d13d90
05fc8af0  00000000 66d13d90 66d13d90 00000000
05fc8b00  66d13d90 66d13d90 00000000 66d13d90
05fc8b10  66d13d90 66d13d90 66d13d90 66d13d90
05fc8b20  00000000 66d13d90 66d13d90 66d13d90
05fc8b30  66d11874 00000000 66d13d90 00000000
05fc8b40  66d13d90 66d13d90 00000000 00000001
0:017> p
eax=0b1cf83c ebx=00000000 ecx=0b1cf864 edx=00d40174 esi=05fc8ad0 edi=00000000
eip=05daf3a8 esp=0b1cf814 ebp=0b1cf848 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
officespace!KActiveLoginInfoCache::vipUrl+0x9cc:
05daf3a8 8bec            mov     ebp,esp
0:017> 
eax=0b1cf83c ebx=00000000 ecx=0b1cf864 edx=00d40174 esi=05fc8ad0 edi=00000000
eip=05daf3aa esp=0b1cf814 ebp=0b1cf814 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
officespace!KActiveLoginInfoCache::vipUrl+0x9ce:
05daf3aa 51              push    ecx
0:017> 
eax=0b1cf83c ebx=00000000 ecx=0b1cf864 edx=00d40174 esi=05fc8ad0 edi=00000000
eip=05daf3ab esp=0b1cf810 ebp=0b1cf814 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
officespace!KActiveLoginInfoCache::vipUrl+0x9cf:
05daf3ab 53              push    ebx
0:017> 
eax=0b1cf83c ebx=00000000 ecx=0b1cf864 edx=00d40174 esi=05fc8ad0 edi=00000000
eip=05daf3ac esp=0b1cf80c ebp=0b1cf814 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
officespace!KActiveLoginInfoCache::vipUrl+0x9d0:
05daf3ac 57              push    edi
0:017> 
eax=0b1cf83c ebx=00000000 ecx=0b1cf864 edx=00d40174 esi=05fc8ad0 edi=00000000
eip=05daf3ad esp=0b1cf808 ebp=0b1cf814 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
officespace!KActiveLoginInfoCache::vipUrl+0x9d1:
05daf3ad 8d45fc          lea     eax,[ebp-4]
0:017> 
eax=0b1cf810 ebx=00000000 ecx=0b1cf864 edx=00d40174 esi=05fc8ad0 edi=00000000
eip=05daf3b0 esp=0b1cf808 ebp=0b1cf814 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
officespace!KActiveLoginInfoCache::vipUrl+0x9d4:
05daf3b0 50              push    eax
0:017> 
eax=0b1cf810 ebx=00000000 ecx=0b1cf864 edx=00d40174 esi=05fc8ad0 edi=00000000
eip=05daf3b1 esp=0b1cf804 ebp=0b1cf814 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
officespace!KActiveLoginInfoCache::vipUrl+0x9d5:
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for D:\Program Files (x86)\Kingsoft\WPS Office\9.1.0.4867\office6\QtCore4.dll - 
05daf3b1 ff1518e4ed05    call    dword ptr [officespace!KQingClient::trUtf8+0x7a638 (05ede418)] ds:002b:05ede418={QtCore4!QDateTime::time (665bffde)}
0:017> 
eax=0b1cf810 ebx=00000000 ecx=03ddee82 edx=00d40174 esi=05fc8ad0 edi=00000000
eip=05daf3b7 esp=0b1cf808 ebp=0b1cf814 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
officespace!KActiveLoginInfoCache::vipUrl+0x9db:
05daf3b7 8d4dfc          lea     ecx,[ebp-4]
0:017> 
eax=0b1cf810 ebx=00000000 ecx=0b1cf810 edx=00d40174 esi=05fc8ad0 edi=00000000
eip=05daf3ba esp=0b1cf808 ebp=0b1cf814 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
officespace!KActiveLoginInfoCache::vipUrl+0x9de:
05daf3ba ff151ce4ed05    call    dword ptr [officespace!KQingClient::trUtf8+0x7a63c (05ede41c)] ds:002b:05ede41c={QtCore4!QTime::hour (665bf3d9)}
0:017> 
eax=00000012 ebx=00000000 ecx=0036ee80 edx=00012982 esi=05fc8ad0 edi=00000000
eip=05daf3c0 esp=0b1cf808 ebp=0b1cf814 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
officespace!KActiveLoginInfoCache::vipUrl+0x9e4:
05daf3c0 8bd8            mov     ebx,eax
0:017> 
eax=00000012 ebx=00000012 ecx=0036ee80 edx=00012982 esi=05fc8ad0 edi=00000000
eip=05daf3c2 esp=0b1cf808 ebp=0b1cf814 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
officespace!KActiveLoginInfoCache::vipUrl+0x9e6:
05daf3c2 8b06            mov     eax,dword ptr [esi]  ds:002b:05fc8ad0=00000000
0:017> 
eax=00000000 ebx=00000012 ecx=0036ee80 edx=00012982 esi=05fc8ad0 edi=00000000
eip=05daf3c4 esp=0b1cf808 ebp=0b1cf814 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
officespace!KActiveLoginInfoCache::vipUrl+0x9e8:
05daf3c4 8b480c          mov     ecx,dword ptr [eax+0Ch] ds:002b:0000000c=????????

看看这个值哪儿来的?

05db22b1 bed08afc05      mov     esi,offset officespace!KxKuaiPanInfoGetter::staticMetaObject+0x5998 (05fc8ad0)

0:017> dd 05fc8ad0
05fc8ad0  00000000

果然是空指针,往上追溯:

05db22ff 8b0d74ffed05    mov     ecx,dword ptr [officespace!KQingClient::trUtf8+0x7c194 (05edff74)]
...
05db2307 890dd08afc05    mov     dword ptr [officespace!KxKuaiPanInfoGetter::staticMetaObject+0x5998 (05fc8ad0)],ecx

在officespace里面,那么重启,加ba r1:

0:000> sxe ld officespace
0:000> g
ModLoad: 0f3e0000 0f63b000   D:\Program Files (x86)\Kingsoft\WPS Office\9.1.0.4867\office6\officespace.DLL
eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=7efdd000 edi=0032edf4
eip=771afc62 esp=0032ecc8 ebp=0032ed1c iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!ZwMapViewOfSection+0x12:
771afc62 83c404          add     esp,4
0:000> x officespace!KQingClient::trUtf8
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for D:\Program Files (x86)\Kingsoft\WPS Office\9.1.0.4867\office6\officespace.DLL - 
0f4a3d9b          officespace!KQingClient::trUtf8 (<no parameter info>)
0f4a3de0          officespace!KQingClient::trUtf8 (<no parameter info>)
0:000> ba r1 0f4a3d9b+0x7c194 "r;k;g;"
0:000> ba r1 0f4a3de0+0x7c194 "r;k;g;"
0:000> g

结果,大家都知道是为啥了:

eax=66a81874 ebx=00000000 ecx=00000001 edx=00000471 esi=075d42e8 edi=00000000
eip=0f3eb76d esp=0032d188 ebp=0032d1a4 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200206
officespace!KxKuaiPanInfoGetter::qt_metacall+0x6483:
0f3eb76d 894610          mov     dword ptr [esi+10h],eax ds:002b:075d42f8=baadf00d

0:017> ln 66a81874
(66a81874)   QtCore4!QListData::shared_null   |  (66a81a40)   QtCore4!QMapData::shared_null
Exact matches:
    QtCore4!QListData::shared_null (<no parameter info>)

SetContext failed, 0x80070005
MachineInfo::SetContext failed - Thread: 04CE8F30  Handle: 840  Id: 4174 - Error == 0x80070005
eax=66a81874 ebx=00000001 ecx=00006379 edx=00006378 esi=66536c1f edi=0f608a18
eip=0f44681f esp=0032d1e0 ebp=0032d204 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
officespace!qt_test_isFetchedRoot+0x1d040:
0f44681f a3548a600f      mov     dword ptr [officespace!KxKuaiPanInfoGetter::staticMetaObject+0x591c (0f608a54)],eax ds:002b:0f608a54=00000000
ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
0032d204 0f446765 officespace!qt_test_isFetchedRoot+0x1d040
0032d228 0f48a913 officespace!qt_test_isFetchedRoot+0x1cf86
0032d260 0f3e75f2 officespace!verify+0x18999
0032d26c 664d5bce officespace!KxKuaiPanInfoGetter::qt_metacall+0x2308

f1.gif

arm的flash还是那么个老大难的问题

乌云换来个cubieboard3,本想这个东西性能比树莓派高多了,终于有心情折腾折腾桌面了,这样早上吃饭的时候,就不需要用蠢萌的电视盒子来看东西了,开bilibili多好,于是用上iceweasel之后就开始寻思着下flash插件,可是下回来以后,iceweasel死活就是不认,何故?查查文件在不在(为了方便管理,我用户名都改成pi了):

root@BLASTN2:/usr/lib/iceweasel/plugins# ls -al /usr/lib/mozilla/plugins/
total 17396
drwxr-xr-x 2 root root     4096 Oct 22 22:03 .
drwxr-xr-x 4 root root     4096 Jul  2  2013 ..
-rw-r--r-- 1 root root    72248 May  3  2012 gecko-mediaplayer-dvx.so
-rw-r--r-- 1 root root    72248 May  3  2012 gecko-mediaplayer-qt.so
-rw-r--r-- 1 root root    72248 May  3  2012 gecko-mediaplayer-rm.so
-rw-r--r-- 1 root root    72248 May  3  2012 gecko-mediaplayer.so
-rw-r--r-- 1 root root    72248 May  3  2012 gecko-mediaplayer-wmp.so
-rw-r--r-- 1 root root 17426852 Oct 22 22:03 libflashplayer.so
-rw-r--r-- 1 root root     5492 Jul 28  2012 librhythmbox-itms-detection-plugin.so

查了下其他插件,确实也就在这一个地儿了

root@BLASTN2:/usr/lib/iceweasel/plugins# find / -name gecko-mediaplayer-*
/usr/lib/mozilla/plugins/gecko-mediaplayer-qt.so
/usr/lib/mozilla/plugins/gecko-mediaplayer-dvx.so
/usr/lib/mozilla/plugins/gecko-mediaplayer-rm.so
/usr/lib/mozilla/plugins/gecko-mediaplayer-wmp.so

还是不双击打开它,直接terminal里面运行算了

root@BLASTN2:/usr/lib/iceweasel/plugins# iceweasel
LoadPlugin: failed to initialize shared library /root/.mozilla/plugins/libflashplayer.so [/root/.mozilla/plugins/libflashplayer.so: cannot open shared object file: No such file or directory]
LoadPlugin: failed to initialize shared library /usr/lib/mozilla/plugins/libflashplayer.so [/usr/lib/mozilla/plugins/libflashplayer.so: cannot open shared object file: No such file or directory]

** (iceweasel:7420): WARNING **: The connection is closed

** (iceweasel:7420): WARNING **: The connection is closed

结果比较蛋疼,你tm在逗我?我文件好端端的放在你说的目录里面了,不过No such file or directory纯粹是在扯,真实原因是:

pi@BLASTN2:~$ file /usr/lib/iceweasel/iceweasel
/usr/lib/iceweasel/iceweasel: ELF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=0x77328e6ff7d090e25316bf43572429498166a376, stripped
pi@BLASTN2:~$ file /usr/lib/mozilla/plugins/libflashplayer.so
/usr/lib/mozilla/plugins/libflashplayer.so: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pi@BLASTN2:~$ 

好吧,查来查去,只有德仪提供了arm 的flash,http://www.ti.com.cn/tool/cn/adobeflash-a8,看介绍说只支持部分型号的Ti,死心了。

XVID整数下溢问题分析

先埋坑,旧的那些IE的坑填完了再写这篇好了。

漏洞作者:blast
来源:http://nul.pw/

0:012> g
(2e40.2d4c): Access violation - code c0000005 (!!! second chance !!!)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for F:\Windows\system32\xvidcore.dll -


xvid是一种规范的编码格式,它属于mpeg4 part 2规范。那开源的xvid解析器在解析所有的mp4时都是正确的吗?显然不是,看看这一个例子吧。

xvidcore在解析一个畸形的mp4文件时,处理vop可能发生整数下溢。vop可以极为简化的理解为帧,当然两者还是有区别的。一个vop的结构看起来像是:

vop_start_code (32 bits - 0x000001B6)
vop_coding_type (2 bits - 0=I, 1=P, 2=B, 3=S)
modulo_time_base (length varies)
marker_bit (1 bit - always 1)
vop_time_increment (length varies)
marker_bit (1 bit - always 1)
vop_coded (1 bit - 0 for NVOPs, 1 otherwise)

0x000001b6 是mpeg4 , part 2 规定的startcode。

在AVS流中,start code是一个特殊的bit形式,每组start code都有start code prefix和start code value。start code prefix是由23个0位和1个1位组成,也即0x00 00 01。所有的start code都是按字节对齐的。

0x000001b6是pb_picture_start_code,这代表了一个P图或者B图的开始。前导帧间预测(P图)和双向帧间预测(B图)由一个2位无符号字符表示,01==P图,02==B图。

一个NAL单元结构如下:

1bit     2bits           5bits            payload information
|-----|----------|-------------------|-----------------
  FZB     NRI                NUT             RBSP
^---------------header---------------^

forbidden-zero-bit
NAL-ref-ide
NAL-unit-type

NAL是网络抽象层的缩写,这个东西主要是为了向网络友好的环境传输数据用的。要把AVS视频流映射成NAL单元,只要把每个0x000001的数据映射到NAL单元中,然后在start code之前增加一个1字节的NAL单元头即可。

如果对这个有兴趣的话,可以参考一下这本书:

http://books.google.com.hk/books?id=6wfGBAAAQBAJ&pg=PA71&lpg=PA71&dq=0x000001b6&source=bl&ots=ZKA_0DM5aF&sig=WJo619-gGY188gxxDUKaX4z0HJI&hl=zh-CN&sa=X&ei=kUpsVO6wFISlmQXl5oDoDw&ved=0CDMQ6AEwAzgK#v=onepage&q=0x000001b6&f=false