package main
import (
"encoding/binary"
"fmt"
"os"
"syscall"
"unsafe"
)
func F(a, b uint64) uint64 {
r := make([]uint64, 1)
cadd(r, 9, 8)
return a + b + r[0]
}
func calls(res []uint64, a, b uint64, m []byte)
func padd(res []uint64, a, b uint64)
func cadd(res []uint64, a, b uint64) {
m, err := syscall.Mmap(
-1,
0,
1023,
// The region must be RWX: RW for writing native codes, X for executing the region.
syscall.PROT_READ|syscall.PROT_WRITE,
// Anonymous as this is not an actual file, but a memory,
// Private as this is in-process memory region.
syscall.MAP_ANON|syscall.MAP_PRIVATE,
)
if err != nil {
panic(err)
}
r := []byte{
0x48, 0x8b, 0x7c, 0x24, 0x08,
0x48, 0x8b, 0x44, 0x24, 0x20,
0x48, 0x8b, 0x6c, 0x24, 0x28,
0x48, 0x01, 0xc5,
0x48, 0x89, 0x2f,
0xc3,
}
arm := []uint32{
0xf94007e2,
0xf94013e1,
0xf94017e3,
0x8b030023,
0xf9000043,
0xd65f03c0,
}
r = make([]byte, len(arm)*4)
for i, v := range arm {
binary.LittleEndian.PutUint32(r[4*i:], v)
}
copy(m, r)
err = syscall.Mprotect(m, syscall.PROT_READ|syscall.PROT_EXEC)
if err != nil {
panic(err)
}
calls(res, a, b, m)
}
func main() {
fmt.Println(F(uint64(len(os.Args)), 1))
}
// darwin || dragonfly || freebsd || netbsd || openbsd
func Mprotect(b []byte, prot int) error {
if len(b) <= 0 {
return syscall.EACCES
}
_, _, e1 := syscall.Syscall(syscall.SYS_MPROTECT, uintptr(unsafe.Pointer(&b[0])), uintptr(len(b)), uintptr(prot))
if e1 != 0 {
return e1
}
return nil
}
/*
var (
kernel32 = syscall.NewLazyDLL("kernel32.dll")
procVirtualAlloc = kernel32.NewProc("VirtualAlloc")
procVirtualProtect = kernel32.NewProc("VirtualProtect")
procVirtualFree = kernel32.NewProc("VirtualFree")
)
const (
windows_MEM_COMMIT uintptr = 0x00001000
windows_MEM_RELEASE uintptr = 0x00008000
windows_PAGE_READWRITE uintptr = 0x00000004
windows_PAGE_EXECUTE_READ uintptr = 0x00000020
windows_PAGE_EXECUTE_READWRITE uintptr = 0x00000040
)
// See https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc
func allocateMemory(size uintptr, protect uintptr) (uintptr, error) {
address := uintptr(0)
alloctype := windows_MEM_COMMIT
if r, _, err := procVirtualAlloc.Call(address, size, alloctype, protect); r == 0 {
return 0, fmt.Errorf("compiler: VirtualAlloc error: %w", getLastError(err))
} else {
return r, nil
}
}
func freeMemory(code []byte) error {
address := uintptr(unsafe.Pointer(&code[0]))
size := uintptr(0) // size must be 0 because we're using MEM_RELEASE.
freetype := windows_MEM_RELEASE
if r, _, err := procVirtualFree.Call(address, size, freetype); err != nil || r == 0 {
return fmt.Errorf("compiler: VirtualFree error: %w", getLastError(err))
}
return nil
}
func virtualProtect(address, size, newprotect uintptr, oldprotect *uint32) error {
if r, _, err := procVirtualProtect.Call(address, size, newprotect, uintptr(unsafe.Pointer(oldprotect))); err != nil || r == 0 {
return fmt.Errorf("compiler: VirtualProtect error: %w", getLastError(err))
}
return nil
}
func mmap(size int) ([]byte, error) {
p, err := allocateMemory(uintptr(size), windows_PAGE_READWRITE)
if err != nil {
return nil, err
}
var mem []byte
sh := (*reflect.SliceHeader)(unsafe.Pointer(&mem))
sh.Data = p
sh.Len = size
sh.Cap = size
old := uint32(windows_PAGE_READWRITE)
err = virtualProtect(p, uintptr(size), windows_PAGE_EXECUTE_READ, &old)
if err != nil {
return nil, err
}
return mem, nil
}
// We are supposed to use "GetLastError" which is more precise, but it is not safe to execute in goroutines. While
// "GetLastError" is thread-local, goroutines are not pinned to threads.
// See https://docs.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-getlasterror
func getLastError(err error) error {
if err != nil {
return err
}
return syscall.EACCES
}
*/
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· winform 绘制太阳,地球,月球 运作规律
· 震惊!C++程序真的从main开始吗?99%的程序员都答错了
· AI与.NET技术实操系列(五):向量存储与相似性搜索在 .NET 中的实现
· 超详细:普通电脑也行Windows部署deepseek R1训练数据并当服务器共享给他人
· 【硬核科普】Trae如何「偷看」你的代码?零基础破解AI编程运行原理