Cracked SQL Server for Linux preview 3.5GB memory limit (Rhel chapter) turn

Https://www.ancii.com/database/30842.html

Microsoft released SQL Server for Linux, but the installation actually needs 3.5GB of memory, which makes most of the cloud host users can not try this new thing this article I will explain how to crack this memory limit to see the key can jump directly to the 6th step, only need to replace 4 bytes to break the limit

First, follow the steps given by Microsoft to install and configure the Https://docs.microsoft.com/zh-cn/sql/linux/sql-server-linux-setup-red-hat

This error can be seen when executing/opt/mssql/bin/sqlservr-setup

Sqlservr:this program requires a and at least 3250 megabytes of memory.

Find messages by error text in which file

[Email protected] ~]# cd/opt/mssql/bin/[[email protected] bin]# Grep-irn "3250" [[email protected] bin]# Grep-irn "Mega  bytes of memory "Binary file sqlpackage matchesbinary file sqlpackage matchesbinary file sqlservr matches[[email protected] bin]# Strings sqlservr | grep "Megabytes of Memory"%s:this program requires a and at least%zu megabytes of memory. [Email protected] bin]# Strings Sqlpackage | grep "Megabytes of Memory"%s:this program requires a and at least%zu megabytes of memory.

It seems that sqlservr and Sqlpackage will detect this limitation, and this limit is a constant

Find the location of the error message

[Email protected] bin]# Hexdump-c sqlservr | Less

Find this place

0006baf0  6e (  3a  )------------%s:this p|0006bb00  2-  |rogram requires |

You can see the location of the message in 0006BAF6.

Find the location where the error message was invoked

[Email protected] bin]# objdump-c-S sqlservr | Less

Find this place

23940:       8d + af Bayi    0x481af (%rip),%rsi        # 6baf6   23947:       c0                   xor    %eax,%eax< c8/>23949:                %rcx,%rdx CA mov   2394c:       d9                mov    %rbx,%rcx   2394f:       E8 6c e4 fe ff          callq  11dc0 <[email protected]>   23954:       Bf-xx-xx          mov    $0x1, %edi   23959:       E8 E2 E1 FE ff          callq  11B40 <[email protected]>

The function of judging is here

238e0:55 push%rbp 238e1:48 e5 mov%rsp,%rbp 238e4:53  Push%RBX 238e5:48 (EC) $0X78,%RSP//The second parameter received by this function is placed in the RBX//reference    Https://en.wikipedia.org/wiki/X86_calling_conventions (System V AMD64 ABI) 238e9:48 F3 mov       %RSI,%RBX//Call SysInfo Get memory Size//RDI is the first parameter, is a struct in the stack sysinfo//reference Https://linux.die.net/man/2/sysinfo 238EC: 8d 7d lea-0x78 (%RBP),%rdi 238f0:e8 3b E3 fe ff CALLQ 11C30 <[email  Protected]>//offset is calculated as follows// -0x78:uptime (beginning address of struct sysinfo)// -0x70:loads[3]// -0x58:totalram// -0x50 : Freeram// -0x48:sharedram// -0x40:bufferram// -0x38:totalswap// -0x30:freeswap// -0x28:procs (short for What accounts for 8 of bytes? See https://en.wikipedia.org/wiki/Data_structure_alignment)// -0x20:totalhigh// -0x18:freehigh// -0x10:mem_unit ( Similarly, an int 4 bytes AligN 4 bytes)//Calculated Rax = Totalram * Mem_unit 238f5:8b F0 mov-0x10 (%RBP),%eax 238f8:48 0f af A8 imul-0x58 (%RBP),%rax//If Rax is less than RBX jump to 23909, that is, display memory is low and exit 238fd:48-D8 cm P%rbx,%rax 23900:72-jb 23909 23902:48-C4-add $0x78,%rs                      P 23906:5b pop%rbx 23907:5d pop%rbp 23908:c3 Retq

Call the code of the function to judge here

Here the second parameter is 3250000000, you can see the memory limit value is a constant   //0xc1b71080 = 3250000000   1486a: Be       B7 C1          mov    $ 0xc1b71080,%esi   1486f:       4c E7                mov    %r12,%rdi   14872:  E8 F0 238e0

By Hexdump find out how many places with the B7 C1, the result is only one place

00014860 (  E8)  : DF-B7 C1 4c  |. H...f ..... l|00014870  E7 E8 F0 (0f)  c0 0f. FF FF  |...i .... W..). p..|

Use Python to modify the code to determine the condition of the JB or change 8010b7c1, I will change the 8010b7c1 to a smaller value 0080841e (512M)

[[Email protected] bin]# mv sqlservr sqlservr.old[[email protected] bin]# python>>> a = open ("Sqlservr.old", "RB" ). Read () >>> B = A.replace ("\x80\x10\xb7\xc1", "\x00\x80\x84\x1e") >>> open ("sqlservr", "WB"). Write ( b) [[email protected] bin]# chmod +x sqlservr

You can continue to replace the limit values in Sqlpackage, but you can also use them without replacing them.

Continue configuring SQL Server

[Email protected] bin]#/opt/mssql/bin/sqlservr-setup[[email protected] bin]# systemctl status Mssql-server

If you do not see the service start after executing the command, it is possible that the previous configuration did not succeed in deleting the MSSQL Data folder and try again

[Email protected] bin]# rm-rf/var/opt/mssql[[email protected] bin]#/opt/mssql/bin/sqlservr-setup

After normal startup, you can see

Mssql-server.service-microsoft (r) SQL Server (r) Database Engine loaded:loaded (/usr/lib/systemd/system/mssql-server . Service; Enabled Vendor preset:disabled) active:active (running) since Mon 2016-12-05 22:50:06 EST;           20s ago Main pid:2625 (sqlservr) CGroup:/system.slice/mssql-server.service├─2625/opt/mssql/bin/sqlservr      └─2638/opt/mssql/bin/sqlservrdec 22:50:10 localhost.localdomain sqlservr[2625]: 2016-12-06 03:50:10.85 spid17s Server is listening on [0.0.0.0 ... 433]. Dec 22:50:10 localhost.localdomain sqlservr[2625]: 2016-12-06 03:50:10.87 server server is listening on [127.0.0. ... 434]. Dec 22:50:10 localhost.localdomain sqlservr[2625]: 2016-12-06 03:50:10.89 Server Dedicated admin connection suppor ... 1434.Dec 22:50:10 localhost.localdomain sqlservr[2625]: 2016-12-06 03:50:10.89 spid17s SQL Server is now-ready for Clien...ired. Dec 22:50:11 localhost.localdomain sqlservr[2625]: 2016-12-06 03:50:11.77 spid6s Starting up database ' tempdb '. Dec 22:50:12 localhost.localdomain sqlservr[2625]: 2016-12-06 03:50:12.02 spid6s The tempdb database has 1 data fi Le (s). Dec 22:50:12 localhost.localdomain sqlservr[2625]: 2016-12-06 03:50:12.02 spid20s The Service Broker endpoint is in ... Tate. Dec 22:50:12 localhost.localdomain sqlservr[2625]: 2016-12-06 03:50:12.03 spid20s The Database mirroring endpoint I ... Tate. Dec 22:50:12 localhost.localdomain sqlservr[2625]: 2016-12-06 03:50:12.09 spid20s Service Broker Manager has Starte D.dec 22:50:12 localhost.localdomain sqlservr[2625]: 2016-12-06 03:50:12.14 spid5s Recovery is complete. This is a ... ired. Hint:some lines were ellipsized, use-l to show on full.

You can also use the command line tool provided by Microsoft after successful startup, or you can use a client connection on Windows https://docs.microsoft.com/zh-cn/sql/linux/ Sql-server-linux-setup-tools is 2G RAM running on MSSQL

The hack on Ubuntu will be different, because Ubuntu will run the test program before installation, how to crack will be explained in the next article

Off Topic

• MSSQL for Linux has date restrictions and network authentication, and is expected to be less likely to be free after the official version
• MSSQL has been compiled on Linux to open the pie option and no symbol table export, which makes gdb tracking difficult, but this hack only need static analysis
• The body of MSSQL is sealed inside the/OPT/MSSQL/LIB/SQLSERVR.SFP, and it may take a while to study the file if you need to crack other restrictions.

Cracked SQL Server for Linux preview 3.5GB memory limit (Rhel chapter) turn