#include <stdio.h>
/*
* 直接函数调用
*/
void func() ;
int main()
{
int a;
func();
a = 0x66;
func();
return 0;
}
void func()
{
int a;
a++;
}
#if 0
gcc -o 01-direct-call 01-direct-call.c
strip 01-direct-call
1.确定程序入口
readelf -h 01-direct-call
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: Intel 80386
Version: 0x1
Entry point address: 0x80482f0
Start of program headers: 52 (bytes into file)
Start of section headers: 4412 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 9
Size of section headers: 40 (bytes)
Number of section headers: 28
Section header string table index: 27
0x80482f0, 只是 <.text> 的开始地址
2.gdb 01-direct-call
(gdb) disassemble 0x80482f0 // strip 后无法使用disassemble命令
No function contains specified address.
(gdb) x /20i 0x80482f0
0x80482f0: xor %ebp,%ebp
0x80482f2: pop %esi
0x80482f3: mov %esp,%ecx
0x80482f5: and $0xfffffff0,%esp
0x80482f8: push %eax
0x80482f9: push %esp
0x80482fa: push %edx
0x80482fb: push $0x80484a0
0x8048300: push $0x8048430
0x8048305: push %ecx
0x8048306: push %esi
0x8048307: push $0x8048400 // 入栈,传递给__libc_start_main,这才是main地址
0x804830c: call 0x80482e0 <__libc_start_main@plt>
0x8048311: hlt
0x8048312: xchg %ax,%ax
0x8048314: xchg %ax,%ax
0x8048316: xchg %ax,%ax
0x8048318: xchg %ax,%ax
0x804831a: xchg %ax,%ax
0x804831c: xchg %ax,%ax
(gdb) x /20i 0x8048400 // 但可以使用x命令查看
0x8048400: push %ebp
0x8048401: mov %esp,%ebp
0x8048403: and $0xfffffff0,%esp
0x8048406: sub $0x10,%esp
0x8048409: call 0x8048422
0x804840e: movl $0x66,0xc(%esp)
0x8048416: call 0x8048422
0x804841b: mov $0x0,%eax
0x8048420: leave
0x8048421: ret
0x8048422: push %ebp
0x8048423: mov %esp,%ebp
0x8048425: sub $0x10,%esp
0x8048428: addl $0x1,-0x4(%ebp)
0x804842c: leave
0x804842d: ret
0x804842e: xchg %ax,%ax
0x8048430: push %ebp
0x8048431: push %edi
0x8048432: xor %edi,%edi
(gdb) b *0x80482f0
Breakpoint 1 at 0x80482f0
(gdb) b *0x8048400
Breakpoint 2 at 0x8048400
(gdb) r
Starting program: /home/share/work/ac-code/reverse/secrets/first-edition/08-identify-high-languages/01-function/01-direct-call
Breakpoint 1, 0x080482f0 in ?? ()
(gdb) x /20i 0x80482f0
=> 0x80482f0: xor %ebp,%ebp // 当前运行处
0x80482f2: pop %esi
0x80482f3: mov %esp,%ecx
0x80482f5: and $0xfffffff0,%esp
0x80482f8: push %eax
0x80482f9: push %esp
0x80482fa: push %edx
0x80482fb: push $0x80484a0
0x8048300: push $0x8048430
0x8048305: push %ecx
0x8048306: push %esi
0x8048307: push $0x8048400
0x804830c: call 0x80482e0 <__libc_start_main@plt>
0x8048311: hlt
0x8048312: xchg %ax,%ax
0x8048314: xchg %ax,%ax
0x8048316: xchg %ax,%ax
0x8048318: xchg %ax,%ax
0x804831a: xchg %ax,%ax
0x804831c: xchg %ax,%ax
(gdb) c
Continuing.
Breakpoint 2, 0x08048400 in ?? ()
(gdb) x /20i 0x8048400
=> 0x8048400: push %ebp // 当前运行处
0x8048401: mov %esp,%ebp
0x8048403: and $0xfffffff0,%esp
0x8048406: sub $0x10,%esp
0x8048409: call 0x8048422
0x804840e: movl $0x66,0xc(%esp)
0x8048416: call 0x8048422
0x804841b: mov $0x0,%eax
0x8048420: leave
0x8048421: ret
0x8048422: push %ebp
0x8048423: mov %esp,%ebp
0x8048425: sub $0x10,%esp
0x8048428: addl $0x1,-0x4(%ebp)
0x804842c: leave
0x804842d: ret
0x804842e: xchg %ax,%ax
0x8048430: push %ebp
0x8048431: push %edi
0x8048432: xor %edi,%edi
(gdb) b *0x8048420
Breakpoint 3 at 0x8048420
(gdb) c
Continuing.
Breakpoint 3, 0x08048420 in ?? ()
(gdb) x /20i 0x8048400
0x8048400: push %ebp
0x8048401: mov %esp,%ebp
0x8048403: and $0xfffffff0,%esp
0x8048406: sub $0x10,%esp
0x8048409: call 0x8048422
0x804840e: movl $0x66,0xc(%esp)
0x8048416: call 0x8048422
0x804841b: mov $0x0,%eax
=> 0x8048420: leave // 当前运行处
0x8048421: ret
0x8048422: push %ebp
0x8048423: mov %esp,%ebp
0x8048425: sub $0x10,%esp
0x8048428: addl $0x1,-0x4(%ebp)
0x804842c: leave
0x804842d: ret
0x804842e: xchg %ax,%ax
0x8048430: push %ebp
0x8048431: push %edi
0x8048432: xor %edi,%edi
(gdb) x /20i 0x8048422 // main中调用的函数
0x8048422: push %ebp
0x8048423: mov %esp,%ebp
0x8048425: sub $0x10,%esp
0x8048428: addl $0x1,-0x4(%ebp)
0x804842c: leave
0x804842d: ret
0x804842e: xchg %ax,%ax
0x8048430: push %ebp
0x8048431: push %edi
0x8048432: xor %edi,%edi
0x8048434: push %esi
0x8048435: push %ebx
0x8048436: call 0x8048320
0x804843b: add $0x1bc5,%ebx
0x8048441: sub $0x1c,%esp
0x8048444: mov 0x30(%esp),%ebp
0x8048448: lea -0xf4(%ebx),%esi
0x804844e: call 0x8048294
0x8048453: lea -0xf8(%ebx),%eax
0x8048459: sub %eax,%esi
(gdb) set disassemble-next-line auto // 在后面的代码没有源码的情况下才反汇编后面要执行的代码
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/share/work/ac-code/reverse/secrets/first-edition/08-identify-high-languages/01-function/01-direct-call
Breakpoint 1, 0x080482f0 in ?? ()
=> 0x080482f0: 31 ed xor %ebp,%ebp
(gdb) c
Continuing.
Breakpoint 2, 0x08048400 in ?? ()
=> 0x08048400: 55 push %ebp
(gdb) set disassemble-next-line on // 自动反汇编后面要执行的代码
(gdb) s
Cannot find bounds of current function
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/share/work/ac-code/reverse/secrets/first-edition/08-identify-high-languages/01-function/01-direct-call
Breakpoint 1, 0x080482f0 in ?? ()
=> 0x080482f0: 31 ed xor %ebp,%ebp
(gdb) c
Continuing.
Breakpoint 2, 0x08048400 in ?? ()
=> 0x08048400: 55 push %ebp
(gdb) c
Continuing.
Breakpoint 3, 0x08048420 in ?? ()
=> 0x08048420: c9 leave
#endif