zoukankan      html  css  js  c++  java

  • 反汇编测试

    反汇编测试

    可先参考以下链接了解一下有关函数栈、EIP、EBP、ESP寄存器的作用:https://www.k2zone.cn/?p=1911

    编译C语言代码:

    .file   "week03031231.c"
        .text
        .globl  g
        .type   g, @function
    g:
    .LFB0:
        .cfi_startproc
        endbr64
        pushq   %rbp
        .cfi_def_cfa_offset 16
        .cfi_offset 6, -16
        movq    %rsp, %rbp
        .cfi_def_cfa_register 6
        movl    %edi, -4(%rbp)
        movl    -4(%rbp), %eax
        addl    $3, %eax
        popq    %rbp
        .cfi_def_cfa 7, 8
        ret
        .cfi_endproc
    .LFE0:
        .size   g, .-g
        .globl  f
        .type   f, @function
    f:
    .LFB1:
        .cfi_startproc
        endbr64
        pushq   %rbp
        .cfi_def_cfa_offset 16
        .cfi_offset 6, -16
        movq    %rsp, %rbp
        .cfi_def_cfa_register 6
        subq    $24, %rsp
        movl    %edi, -20(%rbp)
        movl    $31, -4(%rbp)
        movl    -20(%rbp), %eax
        movl    %eax, %edi
        call    g
        movl    -4(%rbp), %edx
        addl    %edx, %eax
        leave
        .cfi_def_cfa 7, 8
        ret
        .cfi_endproc
    .LFE1:
        .size   f, .-f
        .globl  main
        .type   main, @function
    main:
    .LFB2:
        .cfi_startproc
        endbr64
        pushq   %rbp
        .cfi_def_cfa_offset 16
        .cfi_offset 6, -16
        movq    %rsp, %rbp
        .cfi_def_cfa_register 6
        movl    $8, %edi
        call    f
        addl    $1, %eax
        popq    %rbp
        .cfi_def_cfa 7, 8
        ret
        .cfi_endproc
    .LFE2:
        .size   main, .-main
        .ident  "GCC: (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0"
        .section    .note.GNU-stack,"",@progbits
        .section    .note.gnu.property,"a"
        .align 8
        .long    1f - 0f
        .long    4f - 1f
        .long    5
    0:
        .string  "GNU"
    1:
        .align 8
        .long    0xc0000002
        .long    3f - 2f
    2:
        .long    0x3
    3:
        .align 8
    4:

    使用gdb跟踪汇编代码

    • 使用gcc - g week03031231.c -o week03031231 -m32指令在64位的机器上产生32位汇编,然后使用gdb week03031231指令进入gdb调试器:

    • 发现报错,经上网查询得到:

    输入以下命令:

    sudo apt-get install gcc-multilib
    sudo apt-get install g++-multilib

    安装完成之后,再次运行发现成功了,

    准备工作来方便记录

    通过gdb main 命令进入gdb调试:

    经查询esp始终指向栈顶,ebp是在堆栈中寻址用的

    首先,结合display命令和寄存器或pc内部变量,做如下设置:display /i $pc,这样在每次执行下一条汇编语句时,都会显示出当前执行的语句。下面展示每一步时%esp、%ebp和堆栈内容的变化:

    call指令将下一条指令的地址入栈,此时%esp,%ebp和堆栈的值为:

    将上一个函数的基址入栈,从当前%esp开始作为新基址:

    f函数的汇编代码:

    实参入栈:

     

    call指令将下一条指令的地址入栈:

    计算short+int:

    pop %ebp指令将栈顶弹到%ebp中,同时%esp增加4字节:

    ret指令将栈顶弹给%eip:

    因为函数f修改了%esp,所以用leave指令恢复。leave指令先将%esp对其到%ebp,然后把栈顶弹给%ebp:

     

    主函数汇编代码:

     

     

     

    通过一步一步调试,我记录了每一步运行时esp、ebp、eip、eax的变化

    指令espebpeaxeip堆栈
    endbr32 0xffffd03c 0x0 0xf7fb5808 0x565561f3 0x0
    push %ebp 0xffffd03c 0x0 0xf7fb5808 0x565561f7 0xf7deaee5 0x1
    mov %esp,%ebp 0xffffd038 0xffffd038 0xf7fb5808 0x565561fa 0x0 0xf7deaee5 0x1
    call 0x56556213 0xffffd034 0xffffd038 0xf7fb5808 0x56556213 0x1 0x0 0xffffd0d4 0xf7deaee5
    mov (%esp),%eax 0xffffd034 0xffffd038 0xf7fb5808 0x56556213 0x565561ff 0x0 0xf7deaee5 0x1
    ret 0xffffd034 0xffffd038 0x565561ff 0x56556216 0x0 0xf7deaee5 0x1 0xffffd0d4 0xffffd0dc
    add $0x2ddd,%eax 0xffffd038 0xffffd038 0x565561ff 0x565561ff 0x0 0xf7deaee5 0x1 0xffffd0d4 0xffffd0dc
    call 0x565561c6 0xffffd034 0xffffd038 0x56558fdc 0x56556206 0x8 0x0 0xf7deaee5 0x1 0xffffd0d4 0xffffd0dc 0xffff
    endbr32 0xffffd030 0xffffd038 0x56558fdc 0x565561c6 0x5655620b <main+24> 0x8 0x0 0xf7deaee5 0x1 0xffffd0d4 0xffffd0dc
    push %ebp 0xffffd030 0xffffd038 0x56558fdc 0x565561ca 0x5655620b <main+24> 0x8 0x0 0xf7deaee5 0x1 0xffffd0d4 0xffffd0dc
    mov %esp,%ebp 0xffffd02c 0xffffd038 0x56558fdc 0x565561cb 0xffffd038 0x5655620b <main+24> 0x8 0x0 0xf7deaee5 0x1
    sub $0x10,%esp 0xffffd02c 0xffffd02c 0x56558fdc 0x565561cd 0xffffd038 0x5655620b <main+24> 0x8 0x0 0xf7deaee5
    call 0x56556213 0xffffd01c 0xffffd02c 0x56558fdc 0x565561d0 0x56556241 <__libc_csu_init+33> 0xf7fe22d0 0x0
    mov (%esp),%eax 0xffffd108 0xffffd02c 0x56558fdc 0x56556213 0xffffd438 0xffffd461
    ret 0xffffd108 0xffffd02c 0x565561d5 0x56556216 0x565561d5
    add $0x2e07,%eax 0xffffd01c 0xffffd02c 0x565561d5 0x565561d5 0x56556241 <__libc_csu_init+33> 0xf7fe22d0 0x0 0x0 0xffffd038 0x5655620b <main+24> 0x8 0x0
    movl $ox1f,-0x4(%ebp) 0xffffd01c 0xffffd02c 0x56558fdc 0x565561da 0x56556241 <__libc_csu_init+33> 0xf7fe22d0 0x0 0x0 0xffffd038 0x5655620b <main+24>
    pushl 0x8(%ebp) 0xffffd01c 0xffffd02c 0x56558fdc 0x565561e1 x56556241 <__libc_csu_init+33> 0xf7fe22d0 0x0 0x1f 0xffffd038 0x5655620b <main+24>
    call 0x565561ad 0xffffd018 0xffffd02c 0x56558fdc 0x565561e4 0x8 0x56556241 <__libc_csu_init+33> 0xf7fe22d0 0x0 0x1f 0xffffd038 0x5655620b <main+24>
    endbr32 0xffffd014 0xffffd02c 0x56558fdc 0x56558fdc  
    push %ebp 0xffffd014 0xffffd02c 0x56558fdc 0x565561b1  
    mov %esp,%esp 0xffffd010 0xffffd010 0x56558fdc 0x565561b4  
    ......          
    add $0x3,%eax 0xfffd010 0xffffd010 0x8 0x565561c1  
    pop %ebp 0xffffd010 0xffffd010 0xb 0x565561c4  
    ret 0xffffd014 0xffffd02c 0xb 0x565561c5  
    add $0x4,%esp 0xffffd018 0xffffd02c 0xb 0x565561e9  
    mov -0x4(%ebp),%edx 0xffffd01c 0xffffd02c 0xb 0x565561ec  
    add %edx,%eax 0xffffd01c 0xffffd02c 0xb 0x565561ef  
    leave 0xffffd01c 0xffffd02c 0x2a 0x565561f1  
    ret 0xffffd030 0xffffd038 0x2a 0x565561f2  
               
               

     

    参考链接:

    https://www.k2zone.cn/?p=1911

    http://www.cnblogs.com/lxm20145215----/p/5982554.html
  • 相关阅读:
    data filter 去掉HTML文件中的所有标记
    data filter 去掉HTML文件中的所有标记
    C++ 上溢和下溢(overflow underflow)
    C++ 上溢和下溢(overflow underflow)
    按字节提取整形数值(按位与运算符“&”、右移位运算符“>>”)
    按字节提取整形数值(按位与运算符“&”、右移位运算符“>>”)
    二进制、十进制、N进制 ○| ̄|_
    二进制、十进制、N进制 ○| ̄|_
    JAVA合法标识符
    JAVA合法标识符
  • 原文地址:https://www.cnblogs.com/Aegon-Targaryen/p/15521893.html
Copyright © 2011-2022 走看看