Skip to content

Commit 4c48a6c

Browse files
PwnTipsPwnTips
committed
publish new post
1 parent e38bd8e commit 4c48a6c

3 files changed

Lines changed: 9 additions & 9 deletions

File tree

2023/05/07/CVE-2022-1364.html

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -128,7 +128,7 @@ <h2 id="分析">分析</h2>
128128

129129
<p>这样的话在临近位置,连续调用函数 C 返回的应该就是同一层栈帧对应的 this 对象。e2.M === e2.C 应该像注释中描述的也为 true 才对。继续分析 opt 函数的 JIT 编译做了哪些优化,为什么改变了这个结果。</p>
130130

131-
<p>用 ./Chrome.exe –js-flags=”–allow-natives-syntax –trace-turbo” –no-sandbox –enable-logging=stderr 命令重新启动 chrome,访问 POC 页面后,得到编译过程的 trace 日志 <img src="/assets/images/turbo-000000B00023E8B4-0%201.json" alt="turbo-000000B00023E8B4-0 1.json" />,用 <a href="https://v8.github.io/tools/head/turbolizer/index.html">v8 turbolizer</a> 打开</p>
131+
<p>用 ./Chrome.exe –js-flags=”–allow-natives-syntax –trace-turbo” –no-sandbox –enable-logging=stderr 命令重新启动 chrome,访问 POC 页面后,得到编译过程的 trace 日志 <a href="/assets/images/turbo-000000B00023E8B4-0%201.json">turbo-000000B00023E8B4-0 1.json</a>,用 <a href="https://v8.github.io/tools/head/turbolizer/index.html">v8 turbolizer</a> 打开</p>
132132

133133
<p>opt 函数整理一下,可以写成下面的形式:</p>
134134
<div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">function</span> <span class="nx">opt</span><span class="p">(</span><span class="nx">a</span><span class="p">,</span><span class="nx">b</span><span class="p">,</span><span class="nx">c</span><span class="p">)</span> <span class="p">{</span>

assets/css/style.css.map

Lines changed: 6 additions & 6 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

feed.xml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
<?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" ><generator uri="https://jekyllrb.com/" version="4.2.2">Jekyll</generator><link href="https://pwntips.github.io/feed.xml" rel="self" type="application/atom+xml" /><link href="https://pwntips.github.io/" rel="alternate" type="text/html" /><updated>2024-12-31T14:14:12+08:00</updated><id>https://pwntips.github.io/feed.xml</id><title type="html">PwnTips</title><subtitle>Tips &amp; Tricks</subtitle><entry><title type="html">在国内连接 OSCP 的 Universal VPN</title><link href="https://pwntips.github.io/2024/12/30/universal-vpn-in-china.html" rel="alternate" type="text/html" title="在国内连接 OSCP 的 Universal VPN" /><published>2024-12-30T00:00:00+08:00</published><updated>2024-12-30T00:00:00+08:00</updated><id>https://pwntips.github.io/2024/12/30/universal-vpn-in-china</id><content type="html" xml:base="https://pwntips.github.io/2024/12/30/universal-vpn-in-china.html"><![CDATA[<p>TLDR 版:openvpn 支持 socks5 代理,改一下配置,使用 socks5 代理连接 VPN 服务器。</p>
1+
<?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" ><generator uri="https://jekyllrb.com/" version="4.2.2">Jekyll</generator><link href="https://pwntips.github.io/feed.xml" rel="self" type="application/atom+xml" /><link href="https://pwntips.github.io/" rel="alternate" type="text/html" /><updated>2024-12-31T14:21:15+08:00</updated><id>https://pwntips.github.io/feed.xml</id><title type="html">PwnTips</title><subtitle>Tips &amp; Tricks</subtitle><entry><title type="html">在国内连接 OSCP 的 Universal VPN</title><link href="https://pwntips.github.io/2024/12/30/universal-vpn-in-china.html" rel="alternate" type="text/html" title="在国内连接 OSCP 的 Universal VPN" /><published>2024-12-30T00:00:00+08:00</published><updated>2024-12-30T00:00:00+08:00</updated><id>https://pwntips.github.io/2024/12/30/universal-vpn-in-china</id><content type="html" xml:base="https://pwntips.github.io/2024/12/30/universal-vpn-in-china.html"><![CDATA[<p>TLDR 版:openvpn 支持 socks5 代理,改一下配置,使用 socks5 代理连接 VPN 服务器。</p>
22

33
<p>最近购买了 offsec 的 PEN 200/OSCP 课程,发现在国内连它的 Universal VPN 很不稳定,不用多说又是 GFW 的原因。</p>
44

@@ -324,7 +324,7 @@ static int FindFormatCalssId(const GUID *clsid) // Calss -&gt; Class
324324
325325
<p>这样的话在临近位置,连续调用函数 C 返回的应该就是同一层栈帧对应的 this 对象。e2.M === e2.C 应该像注释中描述的也为 true 才对。继续分析 opt 函数的 JIT 编译做了哪些优化,为什么改变了这个结果。</p>
326326
327-
<p>用 ./Chrome.exe –js-flags=”–allow-natives-syntax –trace-turbo” –no-sandbox –enable-logging=stderr 命令重新启动 chrome,访问 POC 页面后,得到编译过程的 trace 日志 <img src="/assets/images/turbo-000000B00023E8B4-0%201.json" alt="turbo-000000B00023E8B4-0 1.json" />,用 <a href="https://v8.github.io/tools/head/turbolizer/index.html">v8 turbolizer</a> 打开</p>
327+
<p>用 ./Chrome.exe –js-flags=”–allow-natives-syntax –trace-turbo” –no-sandbox –enable-logging=stderr 命令重新启动 chrome,访问 POC 页面后,得到编译过程的 trace 日志 <a href="/assets/images/turbo-000000B00023E8B4-0%201.json">turbo-000000B00023E8B4-0 1.json</a>,用 <a href="https://v8.github.io/tools/head/turbolizer/index.html">v8 turbolizer</a> 打开</p>
328328
329329
<p>opt 函数整理一下,可以写成下面的形式:</p>
330330
<div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">function</span> <span class="nx">opt</span><span class="p">(</span><span class="nx">a</span><span class="p">,</span><span class="nx">b</span><span class="p">,</span><span class="nx">c</span><span class="p">)</span> <span class="p">{</span>

0 commit comments

Comments
 (0)