largebin-attack

总结速递

注意：

1. 0x4c0和0x4b0不在一个组内！！！

largebin结构分析

largebin 共占用 bins 数组中的64个bin，且分为6个组，每个组的公差不一样；可以理解为这64个large bin个管一个范围，但范围的大小不尽相同。

fd-bk

在一开始我们可以先理解largebin只使用了fd/bk构成双向链表，其中表头结构也同时具备fd和bk两个域，然后和chunk们一起构成双向循环链表，其中chunk在双链表中的位置是先取决于大小、后取决于进来的时间的：

fd/bk_nextsize

我们可以将fd/bk_nextsize这两个域理解为加快查找速率而添加进去的（这是由于在fd/bk组成的双链表中相同的siz恶的chunk放在一起，逐个遍历浪费大量时间）；所以就建立了另外一个largebin头不参与其中的双向循环链表，其中从每一组相同size的chunk中选择出一个作为代表（也就是最早进来的那个），让它们构成一个双向循环链表，加快查找速率。

源代码分析

victim_index = largebin_index(size);
bck = bin_at(av, victim_index);//bck得到对应largebin的头部
fwd = bck -> fd;//fd得到最后一个chunk地址（也是最大的一个）
if(fwd != bck){//这个判断相当于检查双链表是否为空
	size |= PREV_INUSE;
	assert(chunk_main_arena(bck -> bk)); //这里提一下，这是我们house_of_apple2遇到_exit触发malloc_assert用的
	if((unsigned long(size) < (unsigned long)chunksize_nomask(fwd))){
        //这里是最终要攻击的地方
		fwd = bck;//新chunk小于最大的chunk
		bck = bck -> bk;
		victim -> fd_nextsize = fwd -> fd;
		victim -> bk_nextsize = fwd -> fd -> bk_nextsize;
		fwd -> fd -> bk_nextsize = fwd -> fd -> bk_nextsize -> fd_nextsize = victim;
	} 
	else{//新chunk大于等于最大的chunk
		assert(chunk_main_arena(fwd));
		while((unsigned long)(size) < chunksize_nomask(fwd)){
			fwd = fwd -> fd;//从后往前（从大向小）找首个小于等于victim的chunk
			assert(chunk_main_arena(fwd));
		} 
		if((unsigned long)size == (unsigned long)chunksize_numask(fwd)){
			fwd = fwd -> fd;//恰好相等的情况后移一个，保证fwd严格小于victim，此时也说明victim不用管nextsize
		}
		else{//victim严格最大
			victim -> fd_nextsize = fwd;
            victim -> bk_nextsize = fwd -> bk_nextsize;
            fwd -> bk_nextsize = victim;
            victim -> bk_nextsize -> fd_nextsize = victim; 
		}
		bck = fwd -> bk;free
	}
}
else victim -> fd_nextsize = victim -> bk_nextsize = victim;
	

攻击方法

#效果：任意地址写堆地址
#将一个较大的chunk先放入到largebin中，修改其bk_nextsize为target-0x20，然后将一个较小的chunk送入该largebin（通常是从unsortedbin中送），此时target就会被写入较小chunk的prevsize域的地址；
#其中事先放入largebin中的较大chunk的fd_nextsize不会被用到可以为0；
#同样，其fd、bk也可以为0；（原因后续更新）

#总的来说，就是新的chunk要更小！！！

关于一个报错：

这是由于我们用了下边那个分支造成的、会有一个完整性检查

  
   0x00007ffff7e61f93 <+2611>:	movups XMMWORD PTR [rdx+0x20],xmm0
   0x00007ffff7e61f97 <+2615>:	cmp    QWORD PTR [rax+0x20],rsi
   ;这里的rax是fwd->bk_nextsize、rsi是fwd, 即检查fwd->bk_nextsize->fd_nextsize == fwd；
   0x00007ffff7e61f9b <+2619>:	
   0x00007ffff7e61fa1 <+2625>:	mov    QWORD PTR [rsi+0x28],rdx
   0x00007ffff7e61fa5 <+2629>:	mov    rax,QWORD PTR [rdx+0x28]
   0x00007ffff7e61fa9 <+2633>:	mov    rdi,rsi
   0x00007ffff7e61fac <+2636>:	mov    QWORD PTR [rax+0x20],rdx
   0x00007ffff7e61fb0 <+2640>:	mov    r9,QWORD PTR [rdi+0x18]
   0x00007ffff7e61fb4 <+2644>:	cmp    QWORD PTR [r9+0x10],rdi
   0x00007ffff7e61fb8 <+2648>:	je     0x7ffff7e61bb7 <_int_malloc+1623>
   0x00007ffff7e61fbe <+2654>:	lea    rdi,[rip+0x105bcb]        # 0x7ffff7f67b90
   0x00007ffff7e61fc5 <+2661>:	call   0x7ffff7e5ea60 <malloc_printerr>
   0x00007ffff7e61fca <+2666>:	nop    WORD PTR [rax+rax*1+0x0]
   0x00007ffff7e61fd0 <+2672>:	mov    eax,edi
   0x00007ffff7e61fd2 <+2674>:	shl    eax,0x6
   0x00007ffff7e61fd5 <+2677>:	add    eax,0xc
   0x00007ffff7e61fd8 <+2680>:	lea    rdx,[rbp+rax*8-0x10]
   0x00007ffff7e61fdd <+2685>:	mov    eax,0x1
   0x00007ffff7e61fe2 <+2690>:	jmp    0x7ffff7e61cdc <_int_malloc+1916>
   0x00007ffff7e61fe7 <+2695>:	mov    rdi,QWORD PTR [rsi+0x10]
   0x00007ffff7e61feb <+2699>:	jmp    0x7ffff7e61fb0 <_int_malloc+2640>
   0x00007ffff7e61fed <+2701>:	mov    r13,rbx
   0x00007ffff7e61ff0 <+2704>:	shr    r13,0x6
   0x00007ffff7e61ff4 <+2708>:	cmp    rbx,0xc3f
   0x00007ffff7e61ffb <+2715>:	ja     0x7ffff7e620e8 <_int_malloc+2952>
   0x00007ffff7e62001 <+2721>:	lea    eax,[r13+0x30]
   0x00007ffff7e62005 <+2725>:	mov    DWORD PTR [rsp+0x8],eax
   0x00007ffff7e62009 <+2729>:	jmp    0x7ffff7e617de <_int_malloc+638>
   0x00007ffff7e6200e <+2734>:	mov    r14,QWORD PTR [r13+0x8]
   0x00007ffff7e62012 <+2738>:	mov    r12,r8
   0x00007ffff7e62015 <+2741>:	and    r14,0xfffffffffffffff8
   0x00007ffff7e62019 <+2745>:	cmp    r14,rbx
   0x00007ffff7e6201c <+2748>:	jb     0x7ffff7e623df <_int_malloc+3711>
   0x00007ffff7e62022 <+2754>:	mov    rcx,r14
   0x00007ffff7e62025 <+2757>:	mov    rdi,r13
   0x00007ffff7e62028 <+2760>:	sub    rcx,rbx
   0x00007ffff7e6202b <+2763>:	mov    QWORD PTR [rsp],rcx
   0x00007ffff7e6202f <+2767>:	call   0x7ffff7e5f270 <unlink_chunk>
   0x00007ffff7e62034 <+2772>:	mov    rcx,QWORD PTR [rsp]
   0x00007ffff7e62038 <+2776>:	cmp    rcx,0x1f
   0x00007ffff7e6203c <+2780>:	jbe    0x7ffff7e6212e <_int_malloc+3022>
   0x00007ffff7e62042 <+2786>:	mov    rax,QWORD PTR [rbp+0x70]
   0x00007ffff7e62046 <+2790>:	movq   xmm4,r15
   0x00007ffff7e6204b <+2795>:	lea    rdx,[r13+rbx*1+0x0]
   0x00007ffff7e62050 <+2800>:	movq   xmm0,rax
   0x00007ffff7e62055 <+2805>:	punpcklqdq xmm0,xmm4
   0x00007ffff7e62059 <+2809>:	cmp    QWORD PTR [rax+0x18],r15
   0x00007ffff7e6205d <+2813>:	jne    0x7ffff7e621f2 <_int_malloc+3218>
   0x00007ffff7e62063 <+2819>:	movups XMMWORD PTR [rdx+0x10],xmm0
   0x00007ffff7e62067 <+2823>:	mov    QWORD PTR [rbp+0x70],rdx
   0x00007ffff7e6206b <+2827>:	mov    QWORD PTR [rax+0x18],rdx
   0x00007ffff7e6206f <+2831>:	cmp    rbx,0x3ff
   0x00007ffff7e62076 <+2838>:	ja     0x7ffff7e6207c <_int_malloc+2844>
   0x00007ffff7e62078 <+2840>:	mov    QWORD PTR [rbp+0x68],rdx
   0x00007ffff7e6207c <+2844>:	cmp    rcx,0x3ff
   0x00007ffff7e62083 <+2851>:	jbe    0x7ffff7e6208d <_int_malloc+2861>
   0x00007ffff7e62085 <+2853>:	pxor   xmm0,xmm0
   0x00007ffff7e62089 <+2857>:	movups XMMWORD PTR [rdx+0x20],xmm0
   0x00007ffff7e6208d <+2861>:	lea    rax,[rip+0x13cbec]        # 0x7ffff7f9ec80 <main_arena>
   0x00007ffff7e62094 <+2868>:	cmp    rbp,rax
   0x00007ffff7e62097 <+2871>:	setne  al
   0x00007ffff7e6209a <+2874>:	movzx  eax,al
   0x00007ffff7e6209d <+2877>:	shl    rax,0x2
   0x00007ffff7e620a1 <+2881>:	or     rax,rbx
   0x00007ffff7e620a4 <+2884>:	or     rax,0x1
   0x00007ffff7e620a8 <+2888>:	mov    QWORD PTR [r13+0x8],rax
   0x00007ffff7e620ac <+2892>:	mov    rax,rcx
   0x00007ffff7e620af <+2895>:	or     rax,0x1
   0x00007ffff7e620b3 <+2899>:	mov    QWORD PTR [rdx+0x8],rax
   0x00007ffff7e620b7 <+2903>:	mov    QWORD PTR [r13+r14*1+0x0],rcx
   0x00007ffff7e620bc <+2908>:	mov    eax,DWORD PTR [rip+0x1433fa]        # 0x7ffff7fa54bc <perturb_byte>
   0x00007ffff7e620c2 <+2914>:	lea    rcx,[r13+0x10]
   0x00007ffff7e620c6 <+2918>:	test   eax,eax
   0x00007ffff7e620c8 <+2920>:	je     0x7ffff7e61a22 <_int_malloc+1218>
   0x00007ffff7e620ce <+2926>:	xor    al,0xff
   0x00007ffff7e620d0 <+2928>:	mov    rdi,rcx
   0x00007ffff7e620d3 <+2931>:	mov    rdx,r12
   0x00007ffff7e620d6 <+2934>:	mov    esi,eax
   0x00007ffff7e620d8 <+2936>:	call   0x7ffff7df1310 <*ABS*+0x9bb40@plt>
   0x00007ffff7e620dd <+2941>:	mov    rcx,rax
   0x00007ffff7e620e0 <+2944>:	jmp    0x7ffff7e61a22 <_int_malloc+1218>
   0x00007ffff7e620e5 <+2949>:	nop    DWORD PTR [rax]
   0x00007ffff7e620e8 <+2952>:	mov    r13,rbx
   0x00007ffff7e620eb <+2955>:	shr    r13,0x9
   0x00007ffff7e620ef <+2959>:	cmp    rbx,0x29ff
   0x00007ffff7e620f6 <+2966>:	ja     0x7ffff7e62105 <_int_malloc+2981>
   0x00007ffff7e620f8 <+2968>:	lea    eax,[r13+0x5b]
   0x00007ffff7e620fc <+2972>:	mov    DWORD PTR [rsp+0x8],eax
   0x00007ffff7e62100 <+2976>:	jmp    0x7ffff7e617de <_int_malloc+638>
   0x00007ffff7e62105 <+2981>:	mov    r13,rbx
   0x00007ffff7e62108 <+2984>:	shr    r13,0xc
   0x00007ffff7e6210c <+2988>:	cmp    rbx,0xafff
   0x00007ffff7e62113 <+2995>:	ja     0x7ffff7e62179 <_int_malloc+3097>
   0x00007ffff7e62115 <+2997>:	lea    eax,[r13+0x6e]
   0x00007ffff7e62119 <+3001>:	mov    DWORD PTR [rsp+0x8],eax
   0x00007ffff7e6211d <+3005>:	jmp    0x7ffff7e617de <_int_malloc+638>
   0x00007ffff7e62122 <+3010>:	lea    rdi,[rip+0x1001ab]        # 0x7ffff7f622d4
   0x00007ffff7e62129 <+3017>:	call   0x7ffff7e5ea60 <malloc_printerr>
   0x00007ffff7e6212e <+3022>:	lea    rax,[rip+0x13cb4b]        # 0x7ffff7f9ec80 <main_arena>
   0x00007ffff7e62135 <+3029>:	or     QWORD PTR [r13+r14*1+0x8],0x1
   0x00007ffff7e6213b <+3035>:	cmp    rbp,rax
   0x00007ffff7e6213e <+3038>:	je     0x7ffff7e620bc <_int_malloc+2908>
   0x00007ffff7e62144 <+3044>:	or     QWORD PTR [r13+0x8],0x4
   0x00007ffff7e62149 <+3049>:	jmp    0x7ffff7e620bc <_int_malloc+2908>
=> 0x00007ffff7e6214e <+3054>:	lea    rdi,[rip+0x1059fb]        # 0x7ffff7f67b50
   0x00007ffff7e62155 <+3061>:	call   0x7ffff7e5ea60 <malloc_printerr>
   0x00007ffff7e6215a <+3066>:	lea    rcx,[rip+0x105f4f]        # 0x7ffff7f680b0 <__PRETTY_FUNCTION__.7>
   0x00007ffff7e62161 <+3073>:	mov    edx,0x10b4
   0x00007ffff7e62166 <+3078>:	lea    rsi,[rip+0x100007]        # 0x7ffff7f62174
   0x00007ffff7e6216d <+3085>:	lea    rdi,[rip+0x100157]        # 0x7ffff7f622cb
   0x00007ffff7e62174 <+3092>:	call   0x7ffff7e001a0 <__libc_assert_fail>
   0x00007ffff7e62179 <+3097>:	mov    r13,rbx
   0x00007ffff7e6217c <+3100>:	shr    r13,0xf
   0x00007ffff7e62180 <+3104>:	cmp    rbx,0x27fff
   0x00007ffff7e62187 <+3111>:	ja     0x7ffff7e621c6 <_int_malloc+3174>
   0x00007ffff7e62189 <+3113>:	lea    eax,[r13+0x77]
   0x00007ffff7e6218d <+3117>:	mov    DWORD PTR [rsp+0x8],eax
   0x00007ffff7e62191 <+3121>:	jmp    0x7ffff7e617de <_int_malloc+638>
   0x00007ffff7e62196 <+3126>:	lea    r10,[r11+0x10]
   0x00007ffff7e6219a <+3130>:	mov    rax,QWORD PTR fs:[r14]
   0x00007ffff7e6219e <+3134>:	mov    rcx,QWORD PTR [rax+r10*8]
   0x00007ffff7e621a2 <+3138>:	test   cl,0xf
   0x00007ffff7e621a5 <+3141>:	jne    0x7ffff7e621e6 <_int_malloc+3206>
   0x00007ffff7e621a7 <+3143>:	mov    rdx,rcx
   0x00007ffff7e621aa <+3146>:	shr    rdx,0xc
   0x00007ffff7e621ae <+3150>:	xor    rdx,QWORD PTR [rcx]
   0x00007ffff7e621b1 <+3153>:	mov    QWORD PTR [rax+r10*8],rdx
   0x00007ffff7e621b5 <+3157>:	sub    WORD PTR [rax+r11*2],0x1
   0x00007ffff7e621bb <+3163>:	xor    eax,eax
   0x00007ffff7e621bd <+3165>:	mov    QWORD PTR [rcx+0x8],rax
   0x00007ffff7e621c1 <+3169>:	jmp    0x7ffff7e61a22 <_int_malloc+1218>
   0x00007ffff7e621c6 <+3174>:	mov    r13,rbx
   0x00007ffff7e621c9 <+3177>:	mov    eax,0x2
   0x00007ffff7e621ce <+3182>:	shr    r13,0x12
   0x00007ffff7e621d2 <+3186>:	cmp    r13,rax
   0x00007ffff7e621d5 <+3189>:	cmova  r13,rax
   0x00007ffff7e621d9 <+3193>:	lea    eax,[r13+0x7c]
   0x00007ffff7e621dd <+3197>:	mov    DWORD PTR [rsp+0x8],eax
   0x00007ffff7e621e1 <+3201>:	jmp    0x7ffff7e617de <_int_malloc+638>
   0x00007ffff7e621e6 <+3206>:	lea    rdi,[rip+0x1059db]        # 0x7ffff7f67bc8
   0x00007ffff7e621ed <+3213>:	call   0x7ffff7e5ea60 <malloc_printerr>
   0x00007ffff7e621f2 <+3218>:	lea    rdi,[rip+0x105a57]        # 0x7ffff7f67c50
   0x00007ffff7e621f9 <+3225>:	call   0x7ffff7e5ea60 <malloc_printerr>
   0x00007ffff7e621fe <+3230>:	mov    r13,QWORD PTR [rdx+0x28]
   0x00007ffff7e62202 <+3234>:	mov    r12,r8
   0x00007ffff7e62205 <+3237>:	jmp    0x7ffff7e6220b <_int_malloc+3243>
   0x00007ffff7e62207 <+3239>:	mov    r13,QWORD PTR [r13+0x28]
   0x00007ffff7e6220b <+3243>:	mov    rdx,QWORD PTR [r13+0x8]
   0x00007ffff7e6220f <+3247>:	mov    r14,rdx
   0x00007ffff7e62212 <+3250>:	and    r14,0xfffffffffffffff8
   0x00007ffff7e62216 <+3254>:	cmp    r14,rbx
   0x00007ffff7e62219 <+3257>:	jb     0x7ffff7e62207 <_int_malloc+3239>
   0x00007ffff7e6221b <+3259>:	cmp    QWORD PTR [rax+0x8],r13
   0x00007ffff7e6221f <+3263>:	je     0x7ffff7e6222d <_int_malloc+3277>
   0x00007ffff7e62221 <+3265>:	mov    rax,QWORD PTR [r13+0x10]
   0x00007ffff7e62225 <+3269>:	cmp    rdx,QWORD PTR [rax+0x8]
   0x00007ffff7e62229 <+3273>:	cmove  r13,rax
   0x00007ffff7e6222d <+3277>:	mov    rcx,r14
   0x00007ffff7e62230 <+3280>:	mov    rdi,r13
   0x00007ffff7e62233 <+3283>:	sub    rcx,rbx
   0x00007ffff7e62236 <+3286>:	mov    QWORD PTR [rsp],rcx
   0x00007ffff7e6223a <+3290>:	call   0x7ffff7e5f270 <unlink_chunk>
   0x00007ffff7e6223f <+3295>:	mov    rcx,QWORD PTR [rsp]
   0x00007ffff7e62243 <+3299>:	cmp    rcx,0x1f
   0x00007ffff7e62247 <+3303>:	jbe    0x7ffff7e6240a <_int_malloc+3754>
   0x00007ffff7e6224d <+3309>:	mov    rax,QWORD PTR [rbp+0x70]
   0x00007ffff7e62251 <+3313>:	movq   xmm3,r15
   0x00007ffff7e62256 <+3318>:	lea    rdx,[r13+rbx*1+0x0]
   0x00007ffff7e6225b <+3323>:	movq   xmm0,rax
   0x00007ffff7e62260 <+3328>:	punpcklqdq xmm0,xmm3
   0x00007ffff7e62264 <+3332>:	cmp    QWORD PTR [rax+0x18],r15
   0x00007ffff7e62268 <+3336>:	jne    0x7ffff7e623fe <_int_malloc+3742>
   0x00007ffff7e6226e <+3342>:	movups XMMWORD PTR [rdx+0x10],xmm0
   0x00007ffff7e62272 <+3346>:	mov    QWORD PTR [rbp+0x70],rdx
   0x00007ffff7e62276 <+3350>:	mov    QWORD PTR [rax+0x18],rdx
   0x00007ffff7e6227a <+3354>:	cmp    rcx,0x3ff
   0x00007ffff7e62281 <+3361>:	jbe    0x7ffff7e6228b <_int_malloc+3371>
   0x00007ffff7e62283 <+3363>:	pxor   xmm0,xmm0
   0x00007ffff7e62287 <+3367>:	movups XMMWORD PTR [rdx+0x20],xmm0
   0x00007ffff7e6228b <+3371>:	lea    rax,[rip+0x13c9ee]        # 0x7ffff7f9ec80 <main_arena>
   0x00007ffff7e62292 <+3378>:	cmp    rbp,rax
   0x00007ffff7e62295 <+3381>:	setne  al
   0x00007ffff7e62298 <+3384>:	movzx  eax,al
   0x00007ffff7e6229b <+3387>:	shl    rax,0x2
   0x00007ffff7e6229f <+3391>:	or     rax,rbx
   0x00007ffff7e622a2 <+3394>:	or     rax,0x1
   0x00007ffff7e622a6 <+3398>:	mov    QWORD PTR [r13+0x8],rax
   0x00007ffff7e622aa <+3402>:	mov    rax,rcx
   0x00007ffff7e622ad <+3405>:	or     rax,0x1
   0x00007ffff7e622b1 <+3409>:	mov    QWORD PTR [rdx+0x8],rax
   0x00007ffff7e622b5 <+3413>:	mov    QWORD PTR [r13+r14*1+0x0],rcx
   0x00007ffff7e622ba <+3418>:	lea    rcx,[r13+0x10]
   0x00007ffff7e622be <+3422>:	mov    rdi,rcx
   0x00007ffff7e622c1 <+3425>:	mov    rsi,r12
   0x00007ffff7e622c4 <+3428>:	mov    QWORD PTR [rsp],rcx
   0x00007ffff7e622c8 <+3432>:	call   0x7ffff7e5eba0 <alloc_perturb>
   0x00007ffff7e622cd <+3437>:	mov    rcx,QWORD PTR [rsp]
   0x00007ffff7e622d1 <+3441>:	jmp    0x7ffff7e61a22 <_int_malloc+1218>
   0x00007ffff7e622d6 <+3446>:	lea    rdi,[rdx+rbx*1]
   0x00007ffff7e622da <+3450>:	sub    rax,rbx
   0x00007ffff7e622dd <+3453>:	mov    r12,r8
   0x00007ffff7e622e0 <+3456>:	movq   xmm0,rdi
   0x00007ffff7e622e5 <+3461>:	mov    QWORD PTR [rbp+0x78],rdi
   0x00007ffff7e622e9 <+3465>:	punpcklqdq xmm0,xmm0
   0x00007ffff7e622ed <+3469>:	movups XMMWORD PTR [rbp+0x68],xmm0
   0x00007ffff7e622f1 <+3473>:	movq   xmm0,r15
   0x00007ffff7e622f6 <+3478>:	punpcklqdq xmm0,xmm0
   0x00007ffff7e622fa <+3482>:	movups XMMWORD PTR [rdi+0x10],xmm0
   0x00007ffff7e622fe <+3486>:	cmp    rax,0x3ff
   0x00007ffff7e62304 <+3492>:	jbe    0x7ffff7e6230e <_int_malloc+3502>
   0x00007ffff7e62306 <+3494>:	pxor   xmm0,xmm0
   0x00007ffff7e6230a <+3498>:	movups XMMWORD PTR [rdi+0x20],xmm0
   0x00007ffff7e6230e <+3502>:	lea    rcx,[rip+0x13c96b]        # 0x7ffff7f9ec80 <main_arena>
   0x00007ffff7e62315 <+3509>:	cmp    rbp,rcx
   0x00007ffff7e62318 <+3512>:	setne  cl
   0x00007ffff7e6231b <+3515>:	movzx  ecx,cl
   0x00007ffff7e6231e <+3518>:	shl    rcx,0x2
   0x00007ffff7e62322 <+3522>:	or     rcx,rbx
   0x00007ffff7e62325 <+3525>:	or     rcx,0x1
   0x00007ffff7e62329 <+3529>:	mov    QWORD PTR [rdx+0x8],rcx
   0x00007ffff7e6232d <+3533>:	mov    rcx,rax
   0x00007ffff7e62330 <+3536>:	or     rcx,0x1
   0x00007ffff7e62334 <+3540>:	mov    QWORD PTR [rdi+0x8],rcx
   0x00007ffff7e62338 <+3544>:	lea    rcx,[rdx+0x10]
   0x00007ffff7e6233c <+3548>:	mov    QWORD PTR [rsi],rax
   0x00007ffff7e6233f <+3551>:	jmp    0x7ffff7e622be <_int_malloc+3422>
   0x00007ffff7e62344 <+3556>:	lea    rcx,[rip+0x105d65]        # 0x7ffff7f680b0 <__PRETTY_FUNCTION__.7>
   0x00007ffff7e6234b <+3563>:	mov    edx,0x1013
   0x00007ffff7e62350 <+3568>:	lea    rsi,[rip+0xffe1d]        # 0x7ffff7f62174
   0x00007ffff7e62357 <+3575>:	lea    rdi,[rip+0xfff56]        # 0x7ffff7f622b4
   0x00007ffff7e6235e <+3582>:	call   0x7ffff7e001a0 <__libc_assert_fail>
   0x00007ffff7e62363 <+3587>:	lea    rdx,[rip+0x13c916]        # 0x7ffff7f9ec80 <main_arena>
   0x00007ffff7e6236a <+3594>:	lea    rsi,[rcx+rbx*1]
   0x00007ffff7e6236e <+3598>:	mov    r12,r8
   0x00007ffff7e62371 <+3601>:	cmp    rbp,rdx
   0x00007ffff7e62374 <+3604>:	mov    QWORD PTR [rbp+0x60],rsi
   0x00007ffff7e62378 <+3608>:	setne  dl
   0x00007ffff7e6237b <+3611>:	sub    rax,rbx
   0x00007ffff7e6237e <+3614>:	add    rcx,0x10
   0x00007ffff7e62382 <+3618>:	movzx  edx,dl
   0x00007ffff7e62385 <+3621>:	or     rax,0x1
   0x00007ffff7e62389 <+3625>:	shl    rdx,0x2
   0x00007ffff7e6238d <+3629>:	or     rdx,rbx
   0x00007ffff7e62390 <+3632>:	or     rdx,0x1
   0x00007ffff7e62394 <+3636>:	mov    QWORD PTR [rcx-0x8],rdx
   0x00007ffff7e62398 <+3640>:	mov    QWORD PTR [rsi+0x8],rax
   0x00007ffff7e6239c <+3644>:	jmp    0x7ffff7e622be <_int_malloc+3422>
   0x00007ffff7e623a1 <+3649>:	mov    rsi,rbp
   0x00007ffff7e623a4 <+3652>:	mov    rdi,rbx
   0x00007ffff7e623a7 <+3655>:	mov    r12,r8
   0x00007ffff7e623aa <+3658>:	call   0x7ffff7e60d20 <sysmalloc>
   0x00007ffff7e623af <+3663>:	mov    rcx,rax
   0x00007ffff7e623b2 <+3666>:	test   rax,rax
   0x00007ffff7e623b5 <+3669>:	jne    0x7ffff7e622be <_int_malloc+3422>
   0x00007ffff7e623bb <+3675>:	jmp    0x7ffff7e61a22 <_int_malloc+1218>
   0x00007ffff7e623c0 <+3680>:	lea    rcx,[rip+0x105ce9]        # 0x7ffff7f680b0 <__PRETTY_FUNCTION__.7>
   0x00007ffff7e623c7 <+3687>:	mov    edx,0x100f
   0x00007ffff7e623cc <+3692>:	lea    rsi,[rip+0xffda1]        # 0x7ffff7f62174
   0x00007ffff7e623d3 <+3699>:	lea    rdi,[rip+0xffeda]        # 0x7ffff7f622b4
   0x00007ffff7e623da <+3706>:	call   0x7ffff7e001a0 <__libc_assert_fail>
   0x00007ffff7e623df <+3711>:	lea    rcx,[rip+0x105cca]        # 0x7ffff7f680b0 <__PRETTY_FUNCTION__.7>
   0x00007ffff7e623e6 <+3718>:	mov    edx,0x10c7
   0x00007ffff7e623eb <+3723>:	lea    rsi,[rip+0xffd82]        # 0x7ffff7f62174
   0x00007ffff7e623f2 <+3730>:	lea    rdi,[rip+0x105827]        # 0x7ffff7f67c20
   0x00007ffff7e623f9 <+3737>:	call   0x7ffff7e001a0 <__libc_assert_fail>
   0x00007ffff7e623fe <+3742>:	lea    rdi,[rip+0x1057f3]        # 0x7ffff7f67bf8
   0x00007ffff7e62405 <+3749>:	call   0x7ffff7e5ea60 <malloc_printerr>
   0x00007ffff7e6240a <+3754>:	lea    rax,[rip+0x13c86f]        # 0x7ffff7f9ec80 <main_arena>
   0x00007ffff7e62411 <+3761>:	or     QWORD PTR [r13+r14*1+0x8],0x1
   0x00007ffff7e62417 <+3767>:	cmp    rbp,rax
   0x00007ffff7e6241a <+3770>:	je     0x7ffff7e622ba <_int_malloc+3418>
   0x00007ffff7e62420 <+3776>:	or     QWORD PTR [r13+0x8],0x4
   0x00007ffff7e62425 <+3781>:	jmp    0x7ffff7e622ba <_int_malloc+3418>
   0x00007ffff7e6242a <+3786>:	lea    rcx,[rip+0x105c7f]        # 0x7ffff7f680b0 <__PRETTY_FUNCTION__.7>
   0x00007ffff7e62431 <+3793>:	mov    edx,0x1002
   0x00007ffff7e62436 <+3798>:	lea    rsi,[rip+0xffd37]        # 0x7ffff7f62174
   0x00007ffff7e6243d <+3805>:	lea    rdi,[rip+0xffe55]        # 0x7ffff7f62299
   0x00007ffff7e62444 <+3812>:	call   0x7ffff7e001a0 <__libc_assert_fail>
End of assembler dump.

1.