In Microchip TCP/IP stack we encounter the following code:
while(1)
{
AppConfig.MyIPAddr.Val = MY_DEFAULT_IP_ADDR_BYTE1 | MY_DEFAULT_IP_ADDR_BYTE2<<8ul | MY_DEFAULT_IP_ADDR_BYTE3<<16ul | MY_DEFAULT_IP_ADDR_BYTE4<<24ul;
AppConfig.DefaultIPAddr.Val = AppConfig.MyIPAddr.Val;
AppConfig.MyMask.Val = MY_DEFAULT_MASK_BYTE1 | MY_DEFAULT_MASK_BYTE2<<8ul | MY_DEFAULT_MASK_BYTE3<<16ul | MY_DEFAULT_MASK_BYTE4<<24ul;
AppConfig.DefaultMask.Val = AppConfig.MyMask.Val;
AppConfig.MyGateway.Val = MY_DEFAULT_GATE_BYTE1 | MY_DEFAULT_GATE_BYTE2<<8ul | MY_DEFAULT_GATE_BYTE3<<16ul | MY_DEFAULT_GATE_BYTE4<<24ul;
AppConfig.PrimaryDNSServer.Val = MY_DEFAULT_PRIMARY_DNS_BYTE1 | MY_DEFAULT_PRIMARY_DNS_BYTE2<<8ul | MY_DEFAULT_PRIMARY_DNS_BYTE3<<16ul | MY_DEFAULT_PRIMARY_DNS_BYTE4<<24ul;
AppConfig.SecondaryDNSServer.Val = MY_DEFAULT_SECONDARY_DNS_BYTE1 | MY_DEFAULT_SECONDARY_DNS_BYTE2<<8ul | MY_DEFAULT_SECONDARY_DNS_BYTE3<<16ul | MY_DEFAULT_SECONDARY_DNS_BYTE4<<24ul;
// Load the default NetBIOS Host Name
memcpypgm2ram(AppConfig.NetBIOSName, (ROM void*)MY_DEFAULT_HOST_NAME, 16);
FormatNetBIOSName(AppConfig.NetBIOSName);
break;
}
What's the function of the while(1)...break since it only executes one time ?
Looks like legacy code to me. It's common to have a while(1) loop to initialize PLLs and such, but generally the breaking condition is dependent upon a register status bit in those circumstances.
If it were me, I would comment out the while(1) line, recompile, and see if any smoke appears ;-)
Since there appears to be no continue statements or unconditional goto's in the loop body, I would say that it is just a way of enclosing a scope around that section of code. Interestingly, there are no automatic variables declared inside of the scope making the scope pretty useless.
Must be for scope. I don't see any other reason.
EDIT
Also, it could be someone was copy/pasting code from somewhere else that had a continue/break/etc in the block then just put their own code in there without thinking about it.
There's only one way to a truly definite answer: Ask the vendor for the history of that file (preferably with check-in log messages). Everything else seems like speculation.
It is perhaps more usually written as a do { ... } while (0); loop which does not need a break in it (unless you need an early exit from the loop). In this context, as others said, it does not seem to provide any benefit unless one of the two functions is actually a macro, but the macro should be self-contained anyway.
Related
shared_ptr<int> sp1(new int(10));
shared_ptr<int> sp3(sp1);
*sp3 = 20;
I wrote the code above, but clion advises me that 'Clang-Tidy: Local copy 'sp3' of the variable 'sp1' is never modified; consider avoiding the copy';and clion modifies my code to below:
I want to konw why clion give me that advise
and why const shared_ptr<int>& sp3(sp1); is the best
thank you!
Copying any large object generally costs more than just referencing it (, and the reference can sometimes be optimized by the compiler). clang-tidy is smart enough to detect that you never modify sp3 and the copy can be avoided.
If you only wonder why clang-tidy gives you this suggestion, you can stop here, since it will give you the same suggestion whatever class you use. The following paragraphs explain how copying a shared pointer can be expensive.
This represents your original code:
contains
sp3 --------------
| copy of \
| \ ______________
V contains \ | ... | points to
sp1 --------------------> | new int(10) -+----------> 10
|______________|
control block
By using const shared_ptr<int>& sp3(sp1); you create a reference to sp1, and you can still change the value the raw pointer points to. The const & only means you cannot modify sp1 by sp3.
______________
& contains | ... | points to
sp3 ------>sp1 -----------> | new int(10) -+----------> 10
|______________|
control block
The control block is used for reference counting and ensures thread-safety by atomic operations, which costs much more time than just copying bytes. That's why you should only copy a std::shared_ptr<?> when you really need to. (e.g. Pass it to another thread or store it in a graph structure)
I am trying, as part of an exercise, to exploit a simple program by overwriting a value of a variable though a buffer overflow. I am pretty sure I have the idea behind the exploit figured out, but since I am unable to inject my code I can't know for sure.
I have tried to build a script that uses Pwntools which is good for packing integers but I haven't managed to get it to work. I also tried to read up about TTY and how you could manipulate what the terminal sends to the process.
A simple pseudocode of the program that I am exploiting:
returnFlag() {
print(flag)
}
main() {
char[8] = input
id = 999999
input = fgets()
if (id = 0) {
returnFlag()
}
}
My plan is to overflow the variable input and overwrite the value of id with 0 so it the function returnFlag() is executed. But when I input for example "AAAA\x00\x00\x00" I only get gibberish when I look at the memory with GDB.
This problem has driven me crazy for the last 1,5 weeks and any help would be greatly appreciated.
So I figured out how to solve the problem. Hopefully this will help someone else as well.
The problem was that I did not know how to send the "exploit code" because it's made up by nulls. Fortunately there is a neat tool called Pwntools link that helps you just with that.
With that tool you can interact with the program and "pack" integers so that you can send all the types of bytes necessary, including null-bytes.
A simple POC using Pwntools to exploit the program above, lets call it vuln, would look like:
#! /usr/bin/env python2
# Importerar rubbet
from pwnlib import *
from pwnlib.tubes.remote import *
from pwnlib.util.packing import *
from pwnlib.gdb import *
context.bits= '32'
context.endian= 'little'
context.log_level = 'debug'
pl = fit({0:'1', 8:[0x00000000]})
io = process('/vuln')
io.sendline(pl)
print(io.recvlines(1))
So I first import all the libs, set up the environment that I am trying to exploit with context. Then I use the fit-function. It packs all of my input in a way that I can send it to the program. I am still trying to figure out what fit is doing behind the scenes.
I am using perl debugger in Eclipse (via EPIC plugin). Is there any feature to automate the steps until an event occurs. For example can I make it run until $args->{some_arg} is set? If not, what is the best known workaround? This feature or workaround may be similar to debugging some other C-like languages.
In the normal perl debugger, setting $DB::single = 1; will drop you to the debugger. So you could have the following:
$DB::single = 1 if $args->{some_arg};
I have no idea if this works in Eclipse.
What I was looking for actually something that follows all the flow and stops whenever that condition is met. But closest thing to this is called conditional breakpoints which works as Leolo mentioned. EPIC actually supports this but some versions is kind'a faulty in some versions. The way to do that is after setting breakpoint somewhere, right-click on it and set condition in Properties dialog. In faulty versions, properties is the third choice in the menu, with no text.
The stock perl debugger has a watch w command.
The perl debugger Devel::Trepan can also has a watch command.
Here is an example. In file test.pl:
my $x = 1;
my $y = 2;
my $x = 3;
Now here is a sample session:
trepan.pl test.pl
-- main::(test.pl:1 #0x19b5da8)
my $x = 1;
(trepanpl): watch $y
Watch expression 1: $y set
$DB::D[0] = <undef>
(trepanpl): c
Watchpoint 1: $y changed
------------------------
old value <undef>
new value 2
wa main::(test.pl:3 #0x1b2a5a8)
my $x = 3;
(trepanpl):
I should note one thing about watchpoints. In contrast to gdb which often has hardware support for this feature, that is not the case here. So when you use this, your program may slow down because the debugger gets called every each possible stopping point to check of the value of the expression has changed.
Devel::Trepan also has gdb-style breakpoints where you can attach a condition to the breakpoint. If using watchpoints slows your program down too much, use this which should be faster.
Perhaps someone will write an Eclipse plugin for Devel::Trepan.
Is there any way how can I get a list of breakpoints from within Windows Debugger Extension?
I'm using plain C (and I'm trying to avoid using COM interface they provide and I'm not even sure if that COM interface provides a way to do that).
I've read and researched wdbgexts.h and dbghelp.h but neither of them seem to contain any usable function or global variable, although there are some info on BPs in those files, such as DBGKD_GET_VERSION::BreakpointWithStatus.
Use IDebugControl::GetNumberBreakpoints, then IDebugControl::GetBreakpointByIndex.
Windows Debugger Extension provides function ULONG64 GetExpression(PCSTR lpExpression) (of course it's <sarcasm>well documented</sarcasm>)
#define GetExpression (ExtensionApis.lpGetExpressionRoutine)
which allows you to get results from any WinDBG expression like ?? #eip.
GetExpression( "#eip"); // Without `?? ` in the beginning
Next, if you take a look at:
Windows Debugger Help » Debugging Tools For Windows » Debuggers » Debugger References » Debugger Commands » Syntax Rules » Pseudo-Registers Syntax
You will find a line what looks like this:
$bpNumber - The address of the corresponding breakpoint. For example,
$bp3 (or $bp03) refers to the breakpoint whose breakpoint ID is 3.
Number is always a decimal number. If no breakpoint has an ID of
Number, $bpNumber evaluates to zero. For more information about
breakpoints, see Using Breakpoints.
So with some overhead you'll get this (working) solution:
#define MAX_BREAKPOINTS 100
DWORD i, addr;
CHAR buffer[] = "$bp\0\0\0\0\0\0\0\0\0\0\0\0";
for( i = 0; i < MAX_BREAKPOINTS; ++i){
// Appends string to BP prefix
itoa( i, buffer+3, 10);
addr = GetExpression( buffer);
if( !addr){
break;
}
// Do stuff
}
The only another solution is to use COM objects as Steve Johnson suggested.
I was searching online for something to help me do assembly line profiling. I searched and found something on http://www.webservertalk.com/message897404.html
There are two parts of to this problem; finding all instructions of a particular type (inc, add, shl, etc) to determine groupings and then figuring out which are getting executed and summing correcty. The first bit is tricky unless grouping by disassembler is sufficient. For figuring which instructions are being executed, Dtrace is of course your friend here( at least in userland).
The nicest way of doing this would be instrument only the begining of each basic block; finding these would be a manual process right now... however, instrumenting each instruction is feasible for small applications. Here's an example:
First, our quite trivial C program under test:
main()
{
int i;
for (i = 0; i < 100; i++)
getpid();
}
Now, our slightly tricky D script:
#pragma D option quiet
pid$target:a.out::entry
/address[probefunc] == 0/
{
address[probefunc]=uregs[R_PC];
}
pid$target:a.out::
/address[probefunc] != 0/
{
#a[probefunc,(uregs[R_PC]-address[probefunc]), uregs[R_PC]]=count();
}
END
{
printa("%s+%#x:\t%d\t%#d\n", #a);
}
main+0x1: 1
main+0x3: 1
main+0x6: 1
main+0x9: 1
main+0xe: 1
main+0x11: 1
main+0x14: 1
main+0x17: 1
main+0x1a: 1
main+0x1c: 1
main+0x23: 101
main+0x27: 101
main+0x29: 100
main+0x2e: 100
main+0x31: 100
main+0x33: 100
main+0x35: 1
main+0x36: 1
main+0x37: 1
From the example given, this is exactly what i need. However I have no idea what it is doing, how to save the DTrace program, how to execute with the code that i want to get the results of. So i opened this hoping some people with good DTrace background could help me understand the code, save it, run it and hopefully get the results shown.
If all you want to do is run this particular DTrace script, simply save it to a .d script file and use a command like the following to run it against your compiled executable:
sudo dtrace -s dtracescript.d -c [Path to executable]
where you replace dtracescript.d with your script file name.
This assumes that you have DTrace as part of your system (I'm running Mac OS X, which has had it since Leopard).
If you're curious about how this works, I wrote a two-part tutorial on using DTrace for MacResearch a while ago, which can be found here and here.