linux 反汇编分析变量地址并用gdb修改运行中的程序内存变量实验

最新推荐文章于 2024-07-17 14:36:23 发布

hkNaruto

最新推荐文章于 2024-07-17 14:36:23 发布

阅读量5.1k

点赞数 4

分类专栏：逆向

本文链接：https://blog.csdn.net/hknaruto/article/details/51097902

版权

逆向专栏收录该内容

6 篇文章 0 订阅

订阅专栏

准备样本文件：

a.c

#include <stdio.h>
#include <unistd.h>

unsigned int a=0xFFFFFFFF;
unsigned int b=0xEEEEEEEE;


void main(){
        while(1){
        printf("%x, %x\n", a, b);
        sleep(1);
        }
}

编译可执行程序：

gcc -g a.c

运行a.out输出:

$ ./a.out 
ffffffff, eeeeeeee
ffffffff, eeeeeeee
ffffffff, eeeeeeee
ffffffff, eeeeeeee
ffffffff, eeeeeeee

开始分析变量a

1. gcc反汇编a.out

$ objdump -D a.out > a.S

2. 查看main函数反汇编代码

0000000000400586 <main>:
  400586:       55                      push   %rbp
  400587:       48 89 e5                mov    %rsp,%rbp
  40058a:       8b 15 b0 0a 20 00       mov    0x200ab0(%rip),%edx        # 601040 <b>
  400590:       8b 05 a6 0a 20 00       mov    0x200aa6(%rip),%eax        # 60103c <a>
  400596:       89 c6                   mov    %eax,%esi
  400598:       bf 50 06 40 00          mov    $0x400650,%edi
  40059d:       b8 00 00 00 00          mov    $0x0,%eax
  4005a2:       e8 a9 fe ff ff          callq  400450 <printf@plt>
  4005a7:       bf 01 00 00 00          mov    $0x1,%edi
  4005ac:       e8 cf fe ff ff          callq  400480 <sleep@plt>
  4005b1:       eb d7                   jmp    40058a <main+0x4>
  4005b3:       66 2e 0f 1f 84 00 00    nopw   %cs:0x0(%rax,%rax,1)
  4005ba:       00 00 00 
  4005bd:       0f 1f 00                nopl   (%rax)

或者直接看.data段

Disassembly of section .data:

0000000000601038 <__data_start>:
  601038:       00 00                   add    %al,(%rax)
        ...

000000000060103c <a>:
  60103c:       ff                      (bad)
  60103d:       ff                      (bad)
  60103e:       ff                      (bad)
  60103f:       ff                      (bad)

0000000000601040 <b>:
  601040:       ee                      out    %al,(%dx)
  601041:       ee                      out    %al,(%dx)
  601042:       ee                      out    %al,(%dx)
  601043:       ee                      out    %al,(%dx)

得到变量a地址： 60103c

3. 得到进程id：

$ ps aux | grep a.out
yeqiang  22726  0.0  0.0   4172   688 pts/10   S+   17:00   0:00 ./a.out

4. gdb 调式改进程,直接修改内存数据

$ gdb -p 22726
GNU gdb (GDB) Fedora 7.9.1-20.fc22
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
Attaching to process 22726
Reading symbols from /tmp/a.out...done.
Reading symbols from /lib64/libc.so.6...Reading symbols from /usr/lib/debug/usr/lib64/libc-2.21.so.debug...done.
done.
Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug/usr/lib64/ld-2.21.so.debug...done.
done.
0x00007fd7f0192d20 in __nanosleep_nocancel ()
    at ../sysdeps/unix/syscall-template.S:81
81	T_PSEUDO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
(gdb) p/x *0x60103c
$3 = 0xffffffff
(gdb) set *0x60103c=1
(gdb) c
Continuing.

5. 观察程序输出：

ffffffff, eeeeeeee
ffffffff, eeeeeeee
ffffffff, eeeeeeee
ffffffff, eeeeeeee
ffffffff, eeeeeeee
ffffffff, eeeeeeee
1, eeeeeeee
1, eeeeeeee
1, eeeeeeee
1, eeeeeeee
1, eeeeeeee
1, eeeeeeee
1, eeeeeeee
1, eeeeeeee
1, eeeeeeee

搞定。