command:
wc -l
jump to the line of large file:
http://superuser.com/questions/113039/less-quickly-jump-to-line-number-in-large-file
vim myfile +$n
If the file is open you can type:
100g to go to the 100th line.
50p to go to 50% into the file.
100P to go to the line containing 100th byte.
You can use these from terminal by adding + in front of them:less +100g bigfile.txt
Tuesday, August 31, 2010
Friday, August 27, 2010
Thursday, August 26, 2010
assembly
leal instruction:
http://en.wikibooks.org/wiki/X86_Disassembly/Calling_Convention_Examples
Multiprecision Subtraction Operations:
http://www.arl.wustl.edu/~lockwood/class/cs306/books/artofasm/Chapter_9/CH09-3.html
http://en.wikibooks.org/wiki/X86_Disassembly/Calling_Convention_Examples
Multiprecision Subtraction Operations:
http://www.arl.wustl.edu/~lockwood/class/cs306/books/artofasm/Chapter_9/CH09-3.html
Tuesday, August 17, 2010
用GDB+QEMU找WINDOWS KERNEL BASE的方法
REF:http://hexblog.com/2009/02/advanced_windows_kernel_debugg.htmlhttp://www.hex-rays.com/idapro/debugger/gdb_vmware_winkernel.pdf
目标:找到WINDOWS KERNEL BASE ADDRESS.
环境+工具: LINUX HOST, GDB, QEMU , WINDOWS XP VM
方法:
1. 启动 QEMU WINDOWS VM. 然后按 CTL+ALT+2 , 切换到 QEMU MONITOR. 输入 gdbserver 1234
1. 启动 QEMU WINDOWS VM. 然后按 CTL+ALT+2 , 切换到 QEMU MONITOR. 输入 gdbserver 1234
2. On Linux host, start gdb, then type "target remote localohost:1234". Then the Windows VM is debugged by GDB.
3. On qemu monitor, type "info registers", then look fs segment, find its base address, (the second number), as shown in the figure1. This is the address of "kpcr", it is 0xffdff000 on the test VM.
4. Then get the value of KdVersionBlock :
kdversionblock = Dword(kpcr+0x34). It is 0x8054c738 on the test VM.
5. Then get the "kernbase" :
kernbase = Dword (kdversionblock+ 16). It is 0x804d7000 on the test VM.
6. Verify that is the correct address. Should see 0x4d 0x5a, 0x90 as the signature of the pe file.
(step 4,5,6 is shown in the figure 2).
Thursday, August 5, 2010
Tuesday, August 3, 2010
Subscribe to:
Posts (Atom)