ida pro分析elf文件(linux程序)

IDA Free: https://hex-rays.com/ida-free/#download

客户反馈的日志,可以看到FROM tbl_ud_pe_eventreport_network_sum limit 0 offset 1188 part F436B5F1BCEA75FB204A64C83EF4C90D7执行语句报错了。

[1597725][2021-08-18][12:03:35][T1096963840][HQueryDB.cpp        ][0303][I]query_acuta_db_table_part_info result: str_db_name:AuditDB,str_table_name:tbl_ud_pe_eventreport_network_sum,part count:2 index 0 : mi_count:2, mi_year:2019, mi_month:4, mi_day:0, mstr_file:000000.dat, mstr_fileid:FB8EFA0B01B0C5F5D8A20C0BA387EE38D, index 1 : mi_count:772, mi_year:2021, mi_month:8, mi_day:0, mstr_file:000000.dat, mstr_fileid:F436B5F1BCEA75FB204A64C83EF4C90D7,
[1597726][2021-08-18][12:03:35][T1096963840][HQueryDB.cpp        ][0586][I]run sql...... SELECT str_record_uuid,i_interval_second,str_dev_id,str_agent_id,i_opr_count,i_internet_send_bytes,i_internet_recv_bytes,i_local_send_bytes,i_local_recv_bytes,t_start FROM tbl_ud_pe_eventreport_network_sum  limit 0 offset 1188 part F436B5F1BCEA75FB204A64C83EF4C90D7
[1597727][2021-08-18][12:03:35][T1096963840][HQueryDB.cpp        ][0444][W]run sql: SELECT str_record_uuid,i_interval_second,str_dev_id,str_agent_id,i_opr_count,i_internet_send_bytes,i_internet_recv_bytes,i_local_send_bytes,i_local_recv_bytes,t_start FROM tbl_ud_pe_eventreport_network_sum  limit 0 offset 1188 part F436B5F1BCEA75FB204A64C83EF4C90D7error,SQL syntax error

回头翻了翻svn上的代码,发现所有版本的如下

		if(it_part_last_record_offset->second >= parts_info_node.mi_count)
		{
			HLog(HGET_INFO << L"part: " << parts_info_node.mstr_file_id << L" offset: " << it_part_last_record_offset->second << L" count: "<< parts_info_node.mi_count);
			return str_ret;
		}
		int i_limit_count = (tbl_info.i_limit_count == 0 ? (parts_info_node.mi_count -  it_part_last_record_offset->second):tbl_info.i_limit_count );
		str_ret<< L" limit "<<i_limit_count <<L" offset "<< it_part_last_record_offset->second;

		if(it_part_last_record_offset->second == parts_info_node.mi_count)
		{
			HLog(HGET_INFO << L"part: " << parts_info_node.mstr_file_id << L" offset: " << it_part_last_record_offset->second << L" count: "<< parts_info_node.mi_count);
			return str_ret;
		}
		int i_limit_count = (tbl_info.i_limit_count == 0 ? (parts_info_node.mi_count -  it_part_last_record_offset->second):tbl_info.i_limit_count );
		str_ret<< L" limit "<<i_limit_count <<L" offset "<< it_part_last_record_offset->second;

所有的版本都不可能limit 为 0的
然后我们用ida解析下现场发过来的程序
在这里插入图片描述
找到现场这个程序中这个函数f5看下他的伪代码,很明显这里在偏移和表中数据总量求limit的时候如果是小于0的话,会进行一个置0的操作,这样就可以解释现场的日志中出现了limit 0的情况了

posted @ 2022-09-29 19:40  J1nu  阅读(246)  评论(0)    收藏  举报