方法一,用mov,代码:
;hello_mov.asm
section .data
msg db "Hello, world!", 0xA
len equ $ - msg
section .text
global _start
_start:
mov edx, len
mov ecx, msg
mov ebx, 1
mov eax, 4
int 0x80
mov ebx, 0
mov eax, 1
int 0x80
方法二,用xor,代码:
;hello_xor.asm
section .data
msg db "Hello, world!", 0xA
len equ $ - msg
section .text
global _start
_start:
xor eax,eax
xor ebx,ebx
xor ecx,ecx
xor edx,edx
mov dl, len
mov ecx, msg
mov bl, 1
mov al, 4
int 0x80
mov bl, 0
mov al, 1
int 0x80
编译连接后,再反汇编看一下
[root@localhost shellcode]# nasm -f elf hello_mov.asm
[root@localhost shellcode]#
[root@localhost shellcode]# ld -o hello_mov hello_mov.o
[root@localhost shellcode]#
[root@localhost shellcode]#
[root@localhost shellcode]# ./hello_mov
Hello, world!
[root@localhost shellcode]# objdump -d hello_mov
hello_mov: file format elf32-i386
Disassembly of section .text:
08048080 <_start>:
8048080: ba 0e 00 00 00 mov $0xe,%edx
8048085: b9 a4 90 04 08 mov $0x80490a4,%ecx
804808a: bb 01 00 00 00 mov $0x1,%ebx
804808f: b8 04 00 00 00 mov $0x4,%eax
8048094: cd 80 int $0x80
8048096: bb 00 00 00 00 mov $0x0,%ebx
804809b: b8 01 00 00 00 mov $0x1,%eax
80480a0: cd 80 int $0x80
[root@localhost shellcode]# [root@localhost shellcode]# nasm -f elf hello_xor.asm
[root@localhost shellcode]# ld -o hello_xor hello_xor.o
[root@localhost shellcode]# ./hello_xor
Hello, world!
[root@localhost shellcode]# objdump -d hello_xor
hello_xor: file format elf32-i386
Disassembly of section .text:
08048080 <_start>:
8048080: 31 c0 xor %eax,%eax
8048082: 31 db xor %ebx,%ebx
8048084: 31 c9 xor %ecx,%ecx
8048086: 31 d2 xor %edx,%edx
8048088: b2 0e mov $0xe,%dl
804808a: b9 9c 90 04 08 mov $0x804909c,%ecx
804808f: b3 01 mov $0x1,%bl
8048091: b0 04 mov $0x4,%al
8048093: cd 80 int $0x80
8048095: b3 00 mov $0x0,%bl
8048097: b0 01 mov $0x1,%al
8048099: cd 80 int $0x80
[root@localhost shellcode]#
比较了一下:
mov ecx,0
是5个字节,而
xor ecx,ecx则是2个字节所以,我看到一般性的shellcode代码里,都是用xor eax,eax来代替mov eax,0
163
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
