《coredump有关问题原理探究》Linux x86版4.5节函数的逆向之coredump例子
日期:2014-05-16 浏览次数:20890 次
《coredump问题原理探究》Linux x86版4.5节函数的逆向之coredump例子
在了解了上面的规律后,现在开始来解决本章一开头的问题:
(gdb) bt #0 0x4365b569 in vfprintf () from /lib/libc.so.6 #1 0x436629ff in printf () from /lib/libc.so.6 #2 0x080485b9 in main ()
看一下main函数的汇编:
(gdb) disassemble main Dump of assembler code for function main: 0x08048500 <+0>: push %ebp 0x08048501 <+1>: mov %esp,%ebp 0x08048503 <+3>: and $0xfffffff0,%esp 0x08048506 <+6>: sub $0x20,%esp 0x08048509 <+9>: movl $0x0,0x1c(%esp) 0x08048511 <+17>: jmp 0x80485bf <main+191> 0x08048516 <+22>: mov 0x1c(%esp),%eax 0x0804851a <+26>: lea 0x0(,%eax,4),%edx 0x08048521 <+33>: mov 0xc(%ebp),%eax 0x08048524 <+36>: add %edx,%eax 0x08048526 <+38>: mov (%eax),%eax 0x08048528 <+40>: mov %eax,(%esp) 0x0804852b <+43>: call 0x80483d0 <strlen@plt> 0x08048530 <+48>: mov %eax,0x18(%esp) 0x08048534 <+52>: mov 0x18(%esp),%eax 0x08048538 <+56>: cmp $0x1,%eax 0x0804853b <+59>: je 0x8048570 <main+112> 0x0804853d <+61>: cmp $0x2,%eax 0x08048540 <+64>: je 0x804858f <main+143> 0x08048542 <+66>: test %eax,%eax 0x08048544 <+68>: jne 0x80485a5 <main+165> 0x08048546 <+70>: mov 0x1c(%esp),%eax 0x0804854a <+74>: lea 0x0(,%eax,4),%edx 0x08048551 <+81>: mov 0xc(%ebp),%eax 0x08048554 <+84>: add %edx,%eax 0x08048556 <+86>: mov (%eax),%eax 0x08048558 <+88>: movzbl (%eax),%eax 0x0804855b <+91>: movsbl %al,%eax 0x0804855e <+94>: mov %eax,0x4(%esp) 0x08048562 <+98>: movl $0x8048674,(%esp) 0x08048569 <+105>: call 0x80483e0 <printf@plt> 0x0804856e <+110>: jmp 0x80485ba <main+186> 0x08048570 <+112>: mov 0x1c(%esp),%eax 0x08048574 <+116>: add $0x1,%eax 0x08048577 <+119>: lea 0x0(,%eax,4),%edx 0x0804857e <+126>: mov 0xc(%ebp),%eax 0x08048581 <+129>: add %edx,%eax 0x08048583 <+131>: mov (%eax),%eax 0x08048585 <+133>: mov %eax,(%esp) 0x08048588 <+136>: call 0x80483f0 <puts@plt> 0x0804858d <+141>: jmp 0x80485ba <main+186> 0x0804858f <+143>: mov 0x1c(%esp),%eax 0x08048593 <+147>: mov %eax,0x4(%esp) 0x08048597 <+151>: movl $0x8048678,(%esp) 0x0804859e <+158>: call 0x80483e0 <printf@plt> 0x080485a3 <+163>: jmp 0x80485ba <main+186> 0x080485a5 <+165>: mov 0x1c(%esp),%eax 0x080485a9 <+169>: mov %eax,0x4(%esp) 0x080485ad <+173>: movl $0x804867c,(%esp) 0x080485b4 <+180>: call 0x80483e0 <printf@plt> 0x080485b9 <+185>: nop 0x080485ba <+186>: addl $0x1,0x1c(%esp) 0x080485bf <+191>: mov 0x1c(%esp),%eax 0x080485c3 <+195>: cmp 0x8(%ebp),%eax 0x080485c6 <+198>: setl %al 0x080485c9 <+201>: test %al,%al 0x080485cb <+203>: jne 0x8048516 <main+22> 0x080485d1 <+209>: mov $0x0,%eax 0x080485d6 <+214>: leave 0x080485d7 <+215>: ret End of assembler dump.
由
0x080485cb <+203>: jne 0x8048516 <main+22>
可知,0x8048516到0x080485cb构成一个循环。
而0x080486cb的判断条件:
0x080485bf <+191>: mov 0x1c(%esp),%eax
0x080485c3 <+195>: cmp 0x8(%ebp),%eax
0x080485c6 <+198>: setl %al
0x080485c9 <+201>: test
免责声明: 本文仅代表作者个人观点,与爱易网无关。其原创性以及文中陈述文字和内容未经本站证实,对本文以及其中全部或者部分内容、文字的真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
