gdb 调试strip后的无符号程序

最新推荐文章于 2024-01-18 13:18:30 发布

xiaozhiwise

最新推荐文章于 2024-01-18 13:18:30 发布

阅读量677

点赞数

文章标签： c语言

本文链接：https://blog.csdn.net/xiaozhiwise/article/details/123835779

版权

#include <stdio.h>

/*
* 直接函数调用
*/

void func() ;

int main()
{
int a;

func();

a = 0x66;
func();

return 0;
}

void func()
{
int a;

a++;
}

#if 0

gcc -o 01-direct-call 01-direct-call.c
strip 01-direct-call

1.确定程序入口
readelf -h 01-direct-call
ELF Header:
Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class:                             ELF32
Data:                              2's complement, little endian
Version:                           1 (current)
OS/ABI:                            UNIX - System V
ABI Version:                       0
Type:                              EXEC (Executable file)
Machine:                           Intel 80386
Version:                           0x1
Entry point address:               0x80482f0
Start of program headers:          52 (bytes into file)
Start of section headers:          4412 (bytes into file)
Flags:                             0x0
Size of this header:               52 (bytes)
Size of program headers:           32 (bytes)
Number of program headers:         9
Size of section headers:           40 (bytes)
Number of section headers:         28
Section header string table index: 27

0x80482f0，只是 <.text> 的开始地址

2.gdb 01-direct-call
(gdb) disassemble 0x80482f0   // strip 后无法使用disassemble命令
No function contains specified address.
(gdb) x /20i 0x80482f0
   0x80482f0:   xor    %ebp,%ebp
   0x80482f2:   pop    %esi
   0x80482f3:   mov    %esp,%ecx
   0x80482f5:   and    $0xfffffff0,%esp
   0x80482f8:   push   %eax
   0x80482f9:   push   %esp
   0x80482fa:   push   %edx
   0x80482fb:   push   $0x80484a0
   0x8048300:   push   $0x8048430
   0x8048305:   push   %ecx
   0x8048306:   push   %esi
   0x8048307:   push   $0x8048400   // 入栈，传递给__libc_start_main，这才是main地址
   0x804830c:   call   0x80482e0 <__libc_start_main@plt>
   0x8048311:   hlt
   0x8048312:   xchg   %ax,%ax
   0x8048314:   xchg   %ax,%ax
   0x8048316:   xchg   %ax,%ax
   0x8048318:   xchg   %ax,%ax
   0x804831a:   xchg   %ax,%ax
   0x804831c:   xchg   %ax,%ax
(gdb) x /20i 0x8048400       // 但可以使用x命令查看
   0x8048400:   push   %ebp
   0x8048401:   mov    %esp,%ebp
   0x8048403:   and    $0xfffffff0,%esp
   0x8048406:   sub    $0x10,%esp
   0x8048409:   call   0x8048422
   0x804840e:   movl   $0x66,0xc(%esp)
   0x8048416:   call   0x8048422
   0x804841b:   mov    $0x0,%eax
   0x8048420:   leave
   0x8048421:   ret
   0x8048422:   push   %ebp
   0x8048423:   mov    %esp,%ebp
   0x8048425:   sub    $0x10,%esp
   0x8048428:   addl   $0x1,-0x4(%ebp)
   0x804842c:   leave
   0x804842d:   ret
   0x804842e:   xchg   %ax,%ax
   0x8048430:   push   %ebp
   0x8048431:   push   %edi
   0x8048432:   xor    %edi,%edi
(gdb) b *0x80482f0
Breakpoint 1 at 0x80482f0
(gdb) b *0x8048400
Breakpoint 2 at 0x8048400
(gdb) r
Starting program: /home/share/work/ac-code/reverse/secrets/first-edition/08-identify-high-languages/01-function/01-direct-call

Breakpoint 1, 0x080482f0 in ?? ()
(gdb) x /20i 0x80482f0
=> 0x80482f0:   xor    %ebp,%ebp   // 当前运行处
   0x80482f2:   pop    %esi
   0x80482f3:   mov    %esp,%ecx
   0x80482f5:   and    $0xfffffff0,%esp
   0x80482f8:   push   %eax
   0x80482f9:   push   %esp
   0x80482fa:   push   %edx
   0x80482fb:   push   $0x80484a0
   0x8048300:   push   $0x8048430
   0x8048305:   push   %ecx
   0x8048306:   push   %esi
   0x8048307:   push   $0x8048400
   0x804830c:   call   0x80482e0 <__libc_start_main@plt>
   0x8048311:   hlt
   0x8048312:   xchg   %ax,%ax
   0x8048314:   xchg   %ax,%ax
   0x8048316:   xchg   %ax,%ax
   0x8048318:   xchg   %ax,%ax
   0x804831a:   xchg   %ax,%ax
   0x804831c:   xchg   %ax,%ax
(gdb) c
Continuing.

Breakpoint 2, 0x08048400 in ?? ()
(gdb) x /20i 0x8048400
=> 0x8048400:   push   %ebp       // 当前运行处
   0x8048401:   mov    %esp,%ebp
   0x8048403:   and    $0xfffffff0,%esp
   0x8048406:   sub    $0x10,%esp
   0x8048409:   call   0x8048422
   0x804840e:   movl   $0x66,0xc(%esp)
   0x8048416:   call   0x8048422
   0x804841b:   mov    $0x0,%eax
   0x8048420:   leave
   0x8048421:   ret
   0x8048422:   push   %ebp
   0x8048423:   mov    %esp,%ebp
   0x8048425:   sub    $0x10,%esp
   0x8048428:   addl   $0x1,-0x4(%ebp)
   0x804842c:   leave
   0x804842d:   ret
   0x804842e:   xchg   %ax,%ax
   0x8048430:   push   %ebp
   0x8048431:   push   %edi
   0x8048432:   xor    %edi,%edi
(gdb) b *0x8048420
Breakpoint 3 at 0x8048420
(gdb) c
Continuing.

Breakpoint 3, 0x08048420 in ?? ()
(gdb) x /20i 0x8048400
   0x8048400:   push   %ebp
   0x8048401:   mov    %esp,%ebp
   0x8048403:   and    $0xfffffff0,%esp
   0x8048406:   sub    $0x10,%esp
   0x8048409:   call   0x8048422
   0x804840e:   movl   $0x66,0xc(%esp)
   0x8048416:   call   0x8048422
   0x804841b:   mov    $0x0,%eax
=> 0x8048420:   leave             // 当前运行处
   0x8048421:   ret
   0x8048422:   push   %ebp
   0x8048423:   mov    %esp,%ebp
   0x8048425:   sub    $0x10,%esp
   0x8048428:   addl   $0x1,-0x4(%ebp)
   0x804842c:   leave
   0x804842d:   ret
   0x804842e:   xchg   %ax,%ax
   0x8048430:   push   %ebp
   0x8048431:   push   %edi
   0x8048432:   xor    %edi,%edi
(gdb) x /20i 0x8048422           // main中调用的函数
   0x8048422:   push   %ebp
   0x8048423:   mov    %esp,%ebp
   0x8048425:   sub    $0x10,%esp
   0x8048428:   addl   $0x1,-0x4(%ebp)
   0x804842c:   leave
   0x804842d:   ret
   0x804842e:   xchg   %ax,%ax
   0x8048430:   push   %ebp
   0x8048431:   push   %edi
   0x8048432:   xor    %edi,%edi
   0x8048434:   push   %esi
   0x8048435:   push   %ebx
   0x8048436:   call   0x8048320
   0x804843b:   add    $0x1bc5,%ebx
   0x8048441:   sub    $0x1c,%esp
   0x8048444:   mov    0x30(%esp),%ebp
   0x8048448:   lea    -0xf4(%ebx),%esi
   0x804844e:   call   0x8048294
   0x8048453:   lea    -0xf8(%ebx),%eax
   0x8048459:   sub    %eax,%esi
(gdb) set disassemble-next-line auto   // 在后面的代码没有源码的情况下才反汇编后面要执行的代码
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/share/work/ac-code/reverse/secrets/first-edition/08-identify-high-languages/01-function/01-direct-call

Breakpoint 1, 0x080482f0 in ?? ()
=> 0x080482f0: 31 ed xor %ebp,%ebp
(gdb) c
Continuing.

Breakpoint 2, 0x08048400 in ?? ()
=> 0x08048400: 55 push %ebp
(gdb) set disassemble-next-line on // 自动反汇编后面要执行的代码
(gdb) s
Cannot find bounds of current function
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/share/work/ac-code/reverse/secrets/first-edition/08-identify-high-languages/01-function/01-direct-call

Breakpoint 1, 0x080482f0 in ?? ()
=> 0x080482f0: 31 ed xor %ebp,%ebp
(gdb) c
Continuing.

Breakpoint 2, 0x08048400 in ?? ()
=> 0x08048400: 55 push %ebp
(gdb) c
Continuing.

Breakpoint 3, 0x08048420 in ?? ()
=> 0x08048420: c9 leave
#endif

xiaozhiwise

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
gdb 调试strip后的无符号程序

#include <stdio.h>/** 直接函数调用*/void func() ;int main(){ int a; func(); a = 0x66; func(); return 0;}void func(){ int a; a++;}#if 0gcc -o 01-direct-call 01-direct-call.cstrip 01-direct-call1.确定程序入口r...
复制链接

扫一扫