IDA伪代码C语言复现调试（mqtt client）

晓翔仔

已于 2022-11-25 20:52:51 修改

阅读量6.5k

点赞数

分类专栏： Penetration test 文章标签： c语言 mqtt 逆向 IDA

于 2021-12-10 22:36:58 首次发布

本文链接：https://blog.csdn.net/qq_33163046/article/details/121865709

版权

Penetration test 专栏收录该内容

45 篇文章 9 订阅

订阅专栏

IDA伪代码分析

mqtt client在connect Broker成功后往往紧接着subscribe topics。

IDA反编译了一段mqtt client，找到subscribe部分的伪代码，力图复现代码里真实subscribe内容。

IDA 相关内容如下

粗略分析可以知道，这里要订阅 0x18(24)个topic。topic由8个“基本topic体”追加附上特定字符串构成。

从第258和第268行，可以分析出“基本topic”体是8个什么样的字符串。

复现伪代码

在我之前的博客所用代码之sample/MQTTAsync_subscribe.c修改实现伪代码功能。

eclipse-paho.mqtt 本地编译与调试_晓翔仔的博客-CSDN博客下载安装下载eclipse-paho.mqtt.c的压缩包传至ubuntu Linux并解压下载地址：GitHub - eclipse/paho.mqtt.c: An Eclipse Paho C client library for MQTT for Windows, Linux and MacOS. API documentation: https://eclipse.github.io/paho.mqtt.c/解压后ubuntu@i...https://blog.csdn.net/qq_33163046/article/details/121382860

设置连接参数时，修改

	conn_opts.onSuccess = onConnect;

为

	conn_opts.onSuccess = OnConnect_subscribemany_24;

编写 OnConnect_subscribemany_24连接成功回调函数。

void OnConnect_subscribemany_24(void* context, MQTTAsync_successData* response)
{
	MQTTAsync c = (MQTTAsync)context;
	MQTTAsync_responseOptions opts = MQTTAsync_responseOptions_initializer;
	int rc;
	const char *MsgType[8]={
								"VEHICLE_0*",
								"VEHICLE_1*",
								"VEHICLE_2*",
								"VEHICLE_3*",
								"VEHICLE_4*",
								"VEHICLE_5*",
								"VEHICLE_6*",
								"VEHICLE_7*",
							};
	char type2[80];
	char type3[80];
	char suffix_2[15];
	char** topics;
    topics = (char**)malloc(sizeof(int*)*24);//为二维数组分配0x18行 
    for (int i = 0; i < 24; ++i)
    {//为每列分配0x32个大小空间 
        topics[i] = (char*)malloc(sizeof(char)*50);
    }
	strcpy(suffix_2, "/SP_1234/");
	for (int j = 0; j != 24; j += 3 )
    {
        int k = j/3;
    	strcpy(type2,MsgType[k]);
    	memcpy(&type2[strlen(type2)], "/123/",6);// VEHICLE_*/p2p/
    	strcpy(type3,MsgType[k]);
    	strcat(type3, suffix_2);             //  VEHICLE_*/SP_0X%X/
    	strcpy(topics[j], MsgType[k]);                 // v3[j] is VEHICLE_*
    	strcpy(topics[j + 1], type2);             // v3[j+1] is VEHICLE_*/123/
    	strcpy(topics[j + 2], type3);       // v3[j+2] is  VEHICLE_*/SP_1234/  
    }
	int qoss[24];
	for(int i=0; i<24; i++)
	{
		qoss[i]= 0;
	}
	printf("subscribemany ,all the 24 topics are:\n");
	for(int i=0; i<24; i++)
	{
		printf("%d topic:%s, qoss:%d\n",i+1,topics[i],qoss[i]);
	}

	printf( "[OnConnect_subscribemany24]In connect onSuccess callback for client c, context %p\n", context);
	opts.onSuccess = donSubscribe;
	opts.context = c;

	rc = MQTTAsync_subscribeMany(c, 24, topics, qoss, &opts);
	if (rc != MQTTASYNC_SUCCESS)
		printf("fail to MQTTAsync_subscribeMany,return code %d\n", rc);
	else
		printf("Sucess to MQTTAsync_subscribeMany,return code %d\n", rc);	
}

经过测试，可以成功订阅所有topic，测试日志如下

ubuntu@ip-172-*-*-20:~/soft/paho.mqtt.c-master/build/output/samples_in$ ./MQTTAsync_subscribe 
[harry] test async subscribe Sucess to create client, return code 0
[harry]Success to set callbacks, return code 0
[harry]Sucess to start connect, return code 0
[harry]subscribemany ,all the 24 topics are:
1 topic:VEHICLE_0*, qoss:0
[harry]subscribemany ,all the 24 topics are:
2 topic:VEHICLE_0*/123/, qoss:0
[harry]subscribemany ,all the 24 topics are:
3 topic:VEHICLE_0*/SP_1234/, qoss:0
[harry]subscribemany ,all the 24 topics are:
4 topic:VEHICLE_1*, qoss:0
[harry]subscribemany ,all the 24 topics are:
5 topic:VEHICLE_1*/123/, qoss:0
[harry]subscribemany ,all the 24 topics are:
6 topic:VEHICLE_1*/SP_1234/, qoss:0
[harry]subscribemany ,all the 24 topics are:
7 topic:VEHICLE_2*, qoss:0
[harry]subscribemany ,all the 24 topics are:
8 topic:VEHICLE_2*/123/, qoss:0
[harry]subscribemany ,all the 24 topics are:
9 topic:VEHICLE_2*/SP_1234/, qoss:0
[harry]subscribemany ,all the 24 topics are:
10 topic:VEHICLE_3*, qoss:0
[harry]subscribemany ,all the 24 topics are:
11 topic:VEHICLE_3*/p2p/, qoss:0
[harry]subscribemany ,all the 24 topics are:
12 topic:VEHICLE_3*/SP_1234/, qoss:0
[harry]subscribemany ,all the 24 topics are:
13 topic:VEHICLE_4*, qoss:0
[harry]subscribemany ,all the 24 topics are:
14 topic:VEHICLE_4*/123/, qoss:0
[harry]subscribemany ,all the 24 topics are:
15 topic:VEHICLE_4*/SP_1234/, qoss:0
[harry]subscribemany ,all the 24 topics are:
16 topic:VEHICLE_5*, qoss:0
[harry]subscribemany ,all the 24 topics are:
17 topic:VEHICLE_5*/p2p/, qoss:0
[harry]subscribemany ,all the 24 topics are:
18 topic:VEHICLE_5*/SP_1234/, qoss:0
[harry]subscribemany ,all the 24 topics are:
19 topic:VEHICLE_6*, qoss:0
[harry]subscribemany ,all the 24 topics are:
20 topic:VEHICLE_6*/123/, qoss:0
[harry]subscribemany ,all the 24 topics are:
21 topic:VEHICLE_6*/SP_1234/, qoss:0
[harry]subscribemany ,all the 24 topics are:
22 topic:VEHICLE_7*, qoss:0
[harry]subscribemany ,all the 24 topics are:
23 topic:VEHICLE_7*/123/, qoss:0
[harry]subscribemany ,all the 24 topics are:
24 topic:VEHICLE_7*/SP_1234/, qoss:0
[OnConnect_subscribemany24]In connect onSuccess callback for client c, context 0x55d5d0a37968
Sucess to MQTTAsync_subscribeMany,return code 0
In subscribe onSuccess callback for client d, 0x55d5d0a37968 granted qos -1275047528Message arrived
     topic: VEHICLE_7*/SP_1234/
   message: Hello World!

ubuntu@ip-172-*-*-20:~/soft/paho.mqtt.c-master/build/output/samples_out$ ./MQTTAsync_publish
test async publish[harry]Sucess to create client object, return code 0
Success to set callback, return code 0
Success to start connect, return code 0
Waiting for publication of Hello World!
on topic VEHICLE_*/SP_1234/ for client with ClientID: ExampleClientPub
Successful connection
Success to start sendMessage, return code 0
Message with token value 0 delivery confirmed
Successful disconnection