Nokia N900 >> Easy Debian

reverse qobi-wmhint-fix


Easy Debian為了取得Keyboard控制權,藉由呼叫/sbin/qobi-wmhint-fix取得,不過由於Qobi-wmhint-fix的原始程式已經不可考,司徒只能從maemo.org的討論區取得片段程式,因怕資訊不夠完整,司徒決定Reverse Qobi-wmhint-fix,看看該程式的實際內容,到底這支程式的內容是如何取得鍵盤控制權。

首先,使用GDB載入Qobi-wmhint-fix並Disassemble main()副程式,司徒將Disassemble後的副程式加上註解,說明如下:

Dump of assembler code for function main:
0x0000877c <main+0>:  mov  r12, sp
0x00008780 <main+4>:  push  {r11, r12, lr, pc}
0x00008784 <main+8>:  sub  r11, r12, #4
0x00008788 <main+12>:  sub  sp, sp, #64  ; 0x40
// save argc
0x0000878c <main+16>:  str  r0, [r11, #-64]  ; 0x40
// save argv
0x00008790 <main+20>:  str  r1, [r11, #-68]  ; 0x44
0x00008794 <main+24>:  mov  r3, #0
0x00008798 <main+28>:  str  r3, [r11, #-24]
0x0000879c <main+32>:  ldr  r3, [r11, #-64]  ; 0x40
// if (argc == 2) then goto 0x87c8
0x000087a0 <main+36>:  cmp  r3, #2
0x000087a4 <main+40>:  beq  0x87c8 <main+76>
0x000087a8 <main+44>:  ldr  r3, [pc, #528]  ; 0x89c0 <main+580>
0x000087ac <main+48>:  ldr  r3, [r3]
// string="usage: set-input-hint <id>\n"
0x000087b0 <main+52>:  ldr  r0, [pc, #524]  ; 0x89c4 <main+584>
0x000087b4 <main+56>:  mov  r1, #1
0x000087b8 <main+60>:  mov  r2, #27
// fwrite(string, 1, strlen(string))
0x000087bc <main+64>:  bl  0x8678 <fwrite>
0x000087c0 <main+68>:  mvn  r0, #0
// exit(-1)
0x000087c4 <main+72>:  bl  0x869c <exit>
// r3=argc[0]
0x000087c8 <main+76>:  ldr  r3, [r11, #-68]  ; 0x44
// argc1
0x000087cc <main+80>:  add  r3, r3, #4
// r3=argv[1]
0x000087d0 <main+84>:  ldr  r3, [r3]
// buf1=address of (r11-#24)
0x000087d4 <main+88>:  sub  r2, r11, #24
0x000087d8 <main+92>:  mov  r0, r3
// string="0x%lx"
0x000087dc <main+96>:  ldr  r1, [pc, #484]  ; 0x89c8 <main+588>
// sscanf(argv[1], string, buf)
0x000087e0 <main+100>:  bl  0x8654 <__isoc99_sscanf>
// r3=sscanf()
0x000087e4 <main+104>:  mov  r3, r0
// if (sscanf() == 1) then goto 0x880c
0x000087e8 <main+108>:  cmp  r3, #1
0x000087ec <main+112>:  beq  0x880c <main+144>
0x000087f0 <main+116>:  ldr  r3, [pc, #456]  ; 0x89c0 <main+580>
// r3=0xc20
0x000087f4 <main+120>:  ldr  r3, [r3]
// r0=0xc20
0x000087f8 <main+124>:  mov  r0, r3
// string="id must be in parsable by 0x%%lx\n"
0x000087fc <main+128>:  ldr  r1, [pc, #456]  ; 0x89cc <main+592>
// fprintf(0xc20, string)
0x00008800 <main+132>:  bl  0x8690 <fprintf>
// r0=-1
0x00008804 <main+136>:  mvn  r0, #0
// exit(-1)
0x00008808 <main+140>:  bl  0x869c <exit>
// string=""
0x0000880c <main+144>:  ldr  r0, [pc, #444]  ; 0x89d0 <main+596>
// XOpenDisplay(string)
0x00008810 <main+148>:  bl  0x8660 <XOpenDisplay>
// r3=XOpenDisplay()
0x00008814 <main+152>:  mov  r3, r0
// buf2=r3
0x00008818 <main+156>:  str  r3, [r11, #-20]
0x0000881c <main+160>:  ldr  r3, [r11, #-20]
// if (XOpenDisplay() != 0) then goto 0x8848
0x00008820 <main+164>:  cmp  r3, #0
0x00008824 <main+168>:  bne  0x8848 <main+204>
// r3=0xc20
0x00008828 <main+172>:  ldr  r3, [pc, #400]  ; 0x89c0 <main+580>
0x0000882c <main+176>:  ldr  r3, [r3]
// string="can't open display\n"
0x00008830 <main+180>:  ldr  r0, [pc, #412]  ; 0x89d4 <main+600>
0x00008834 <main+184>:  mov  r1, #1
0x00008838 <main+188>:  mov  r2, #19
// fwrite(string, 1, strlen(string))
0x0000883c <main+192>:  bl  0x8678 <fwrite>
// r0=-1
0x00008840 <main+196>:  mvn  r0, #0
// exit(-1)
0x00008844 <main+200>:  bl  0x869c <exit>
// sscanf(buf1)
0x00008848 <main+204>:  ldr  r3, [r11, #-24]
// buf2=XOpenDisplay()
0x0000884c <main+208>:  ldr  r0, [r11, #-20]
0x00008850 <main+212>:  mov  r1, r3
// XGetWMHints(buf2, buf1)
0x00008854 <main+216>:  bl  0x866c <XGetWMHints>
0x00008858 <main+220>:  mov  r3, r0
// buf3=XGetWMHints()
0x0000885c <main+224>:  str  r3, [r11, #-16]
0x00008860 <main+228>:  ldr  r3, [r11, #-16]
// if (XGetWMHints() != 0) then goto 0x8970
0x00008864 <main+232>:  cmp  r3, #0
0x00008868 <main+236>:  bne  0x8970 <main+500>
0x0000886c <main+240>:  sub  r2, r11, #60  ; 0x3c
0x00008870 <main+244>:  str  r2, [r11, #-76]  ; 0x4c
0x00008874 <main+248>:  mov  r3, #0
0x00008878 <main+252>:  ldr  r2, [r11, #-76]  ; 0x4c
0x0000887c <main+256>:  str  r3, [r2]
0x00008880 <main+260>:  ldr  r3, [r11, #-76]  ; 0x4c
0x00008884 <main+264>:  add  r3, r3, #4
0x00008888 <main+268>:  str  r3, [r11, #-76]  ; 0x4c
0x0000888c <main+272>:  mov  r3, #0
0x00008890 <main+276>:  ldr  r2, [r11, #-76]  ; 0x4c
0x00008894 <main+280>:  str  r3, [r2]
0x00008898 <main+284>:  ldr  r3, [r11, #-76]  ; 0x4c
0x0000889c <main+288>:  add  r3, r3, #4
0x000088a0 <main+292>:  str  r3, [r11, #-76]  ; 0x4c
0x000088a4 <main+296>:  mov  r3, #0
0x000088a8 <main+300>:  ldr  r2, [r11, #-76]  ; 0x4c
0x000088ac <main+304>:  str  r3, [r2]
0x000088b0 <main+308>:  ldr  r3, [r11, #-76]  ; 0x4c
0x000088b4 <main+312>:  add  r3, r3, #4
0x000088b8 <main+316>:  str  r3, [r11, #-76]  ; 0x4c
0x000088bc <main+320>:  mov  r3, #0
0x000088c0 <main+324>:  ldr  r2, [r11, #-76]  ; 0x4c
0x000088c4 <main+328>:  str  r3, [r2]
0x000088c8 <main+332>:  ldr  r3, [r11, #-76]  ; 0x4c
0x000088cc <main+336>:  add  r3, r3, #4
0x000088d0 <main+340>:  str  r3, [r11, #-76]  ; 0x4c
0x000088d4 <main+344>:  mov  r3, #0
0x000088d8 <main+348>:  ldr  r2, [r11, #-76]  ; 0x4c
0x000088dc <main+352>:  str  r3, [r2]
0x000088e0 <main+356>:  ldr  r3, [r11, #-76]  ; 0x4c
0x000088e4 <main+360>:  add  r3, r3, #4
0x000088e8 <main+364>:  str  r3, [r11, #-76]  ; 0x4c
0x000088ec <main+368>:  mov  r3, #0
0x000088f0 <main+372>:  ldr  r2, [r11, #-76]  ; 0x4c
0x000088f4 <main+376>:  str  r3, [r2]
0x000088f8 <main+380>:  ldr  r3, [r11, #-76]  ; 0x4c
0x000088fc <main+384>:  add  r3, r3, #4
0x00008900 <main+388>:  str  r3, [r11, #-76]  ; 0x4c
0x00008904 <main+392>:  mov  r3, #0
0x00008908 <main+396>:  ldr  r2, [r11, #-76]  ; 0x4c
0x0000890c <main+400>:  str  r3, [r2]
0x00008910 <main+404>:  ldr  r3, [r11, #-76]  ; 0x4c
0x00008914 <main+408>:  add  r3, r3, #4
0x00008918 <main+412>:  str  r3, [r11, #-76]  ; 0x4c
0x0000891c <main+416>:  mov  r3, #0
0x00008920 <main+420>:  ldr  r2, [r11, #-76]  ; 0x4c
0x00008924 <main+424>:  str  r3, [r2]
0x00008928 <main+428>:  ldr  r3, [r11, #-76]  ; 0x4c
0x0000892c <main+432>:  add  r3, r3, #4
0x00008930 <main+436>:  str  r3, [r11, #-76]  ; 0x4c
0x00008934 <main+440>:  mov  r3, #0
0x00008938 <main+444>:  ldr  r2, [r11, #-76]  ; 0x4c
0x0000893c <main+448>:  str  r3, [r2]
0x00008940 <main+452>:  ldr  r3, [r11, #-76]  ; 0x4c
0x00008944 <main+456>:  add  r3, r3, #4
0x00008948 <main+460>:  mov  r3, #1
0x0000894c <main+464>:  str  r3, [r11, #-60]  ; 0x3c
0x00008950 <main+468>:  mov  r3, #1
0x00008954 <main+472>:  str  r3, [r11, #-56]  ; 0x38
0x00008958 <main+476>:  ldr  r3, [r11, #-24]
0x0000895c <main+480>:  sub  r2, r11, #60  ; 0x3c
0x00008960 <main+484>:  ldr  r0, [r11, #-20]
0x00008964 <main+488>:  mov  r1, r3
// XSetWMHints()
0x00008968 <main+492>:  bl  0x86a8 <XSetWMHints>
0x0000896c <main+496>:  b  0x89ac <main+560>
0x00008970 <main+500>:  ldr  r2, [r11, #-16]
0x00008974 <main+504>:  mov  r3, #1
0x00008978 <main+508>:  str  r3, [r2, #4]
0x0000897c <main+512>:  ldr  r3, [r11, #-16]
0x00008980 <main+516>:  ldr  r3, [r3]
0x00008984 <main+520>:  orr  r2, r3, #1
0x00008988 <main+524>:  ldr  r3, [r11, #-16]
0x0000898c <main+528>:  str  r2, [r3]
0x00008990 <main+532>:  ldr  r3, [r11, #-24]
0x00008994 <main+536>:  ldr  r0, [r11, #-20]
0x00008998 <main+540>:  mov  r1, r3
0x0000899c <main+544>:  ldr  r2, [r11, #-16]
// XSetWMHints()
0x000089a0 <main+548>:  bl  0x86a8 <XSetWMHints>
0x000089a4 <main+552>:  ldr  r0, [r11, #-16]
// XFree()
0x000089a8 <main+556>:  bl  0x8624 <XFree>
0x000089ac <main+560>:  ldr  r0, [r11, #-20]
// XFlush
0x000089b0 <main+564>:  bl  0x8684 <XFlush>
0x000089b4 <main+568>:  sub  sp, r11, #12
0x000089b8 <main+572>:  ldm  sp, {r11, sp, lr}
0x000089bc <main+576>:  bx  lr
0x000089c0 <main+580>:  andeq  r0, r1, r0, lsr #24
0x000089c4 <main+584>:  andeq  r8, r0, r0, ror r10
0x000089c8 <main+588>:  andeq  r8, r0, r12, lsl #21
0x000089cc <main+592>:  muleq  r0, r4, r10
0x000089d0 <main+596>:  undefined instruction 0x00008ab8
0x000089d4 <main+600>:  undefined instruction 0x00008abc
End of assembler dump.

司徒發現上面這段程式跟maemo.org討論區的某段程式一樣,如下所示:

#include <X11/Xlib.h>
#include <X11/Xutil.h>
#include <stdio.h>
#include <stdlib.h>

int main(int argc, char** argv)
{
  Display *display;
  Window window=0;
  XWMHints *input_hints;
  if(argc != 2){
    fprintf(stderr, "usage: set-input-hint <id>\n");
    exit(-1);
  }

  if(sscanf(argv[1], "0x%lx", &window) != 1){
    fprintf(stderr, "id must be in parsable by 0x%%lx\n");
    exit(-1);
  }

  display=XOpenDisplay();
  if(display == NULL){
    fprintf(stderr, "can't open display\n");
    exit(-1);
  }

  input_hints=XGetWMHints(display, window);
  if(input_hints == NULL){
    XWMHints input_hints={.input=True, .flags=InputHint};
    XSetWMHints(display, window, &input_hints);
  }
  else{
    input_hints->input = True;
    input_hints->flags|= InputHint;
    XSetWMHints(display, window, input_hints);
    XFree(input_hints);
  }
  XFlush(dislay);
}

上面這段程式就是透過XSetWMHints取得Keyboard的控制權,透過XSetWMHints的設定,Xephyr Server就可以透過Window Manager(LXDE)取得鍵盤控制權。


返回上一頁