0x00 objdump命令是Linux下的反汇编目标文件或者可执行文件的命令
0x01 objdump -f 显示test的文件头信息
$ objdump -f level
level: file format elf32-i386 architecture: i386, flags 0x00000112: EXEC_P, HAS_SYMS, D_PAGED start address 0x08048350
0x02 objdump -d 反汇编test中的需要执行指令的那些section
$ objdump -d level
level2: file format elf32-i386 Disassembly of section .init: 080482d4 <_init>: 80482d4: 53 push %ebx 80482d5: 83 ec 08 sub $0x8,%esp 80482d8: e8 a3 00 00 00 call 8048380 <__x86.get_pc_thunk.bx> 80482dd: 81 c3 23 1d 00 00 add $0x1d23,%ebx 80482e3: 8b 83 fc ff ff ff mov -0x4(%ebx),%eax 80482e9: 85 c0 test %eax,%eax 80482eb: 74 05 je 80482f2 <_init+0x1e> 80482ed: e8 3e 00 00 00 call 8048330 <__gmon_start__@plt> 80482f2: 83 c4 08 add $0x8,%esp 80482f5: 5b pop %ebx 80482f6: c3 ret Disassembly of section .plt: 08048300 <read@plt-0x10>: 8048300: ff 35 04 a0 04 08 pushl 0x804a004 8048306: ff 25 08 a0 04 08 jmp *0x804a008 804830c: 00 00 add %al,(%eax) ... 08048310 <read@plt>: 8048310: ff 25 0c a0 04 08 jmp *0x804a00c 8048316: 68 00 00 00 00 push $0x0 804831b: e9 e0 ff ff ff jmp 8048300 <_init+0x2c> 08048320 <system@plt>: 8048320: ff 25 10 a0 04 08 jmp *0x804a010 8048326: 68 08 00 00 00 push $0x8 804832b: e9 d0 ff ff ff jmp 8048300 <_init+0x2c> 08048330 <__gmon_start__@plt>: 8048330: ff 25 14 a0 04 08 jmp *0x804a014 8048336: 68 10 00 00 00 push $0x10 804833b: e9 c0 ff ff ff jmp 8048300 <_init+0x2c> 08048340 <__libc_start_main@plt>: 8048340: ff 25 18 a0 04 08 jmp *0x804a018 8048346: 68 18 00 00 00 push $0x18 804834b: e9 b0 ff ff ff jmp 8048300 <_init+0x2c> Disassembly of section .text: 08048350 <_start>: 8048350: 31 ed xor %ebp,%ebp 8048352: 5e pop %esi 8048353: 89 e1 mov %esp,%ecx 8048355: 83 e4 f0 and $0xfffffff0,%esp 8048358: 50 push %eax 8048359: 54 push %esp 804835a: 52 push %edx 804835b: 68 20 85 04 08 push $0x8048520 8048360: 68 c0 84 04 08 push $0x80484c0 8048365: 51 push %ecx 8048366: 56 push %esi 8048367: 68 80 84 04 08 push $0x8048480 804836c: e8 cf ff ff ff call 8048340 <__libc_start_main@plt> 8048371: f4 hlt 8048372: 66 90 xchg %ax,%ax 8048374: 66 90 xchg %ax,%ax 8048376: 66 90 xchg %ax,%ax 8048378: 66 90 xchg %ax,%ax 804837a: 66 90 xchg %ax,%ax 804837c: 66 90 xchg %ax,%ax 804837e: 66 90 xchg %ax,%ax 08048380 <__x86.get_pc_thunk.bx>: 8048380: 8b 1c 24 mov (%esp),%ebx 8048383: c3 ret 8048384: 66 90 xchg %ax,%ax 8048386: 66 90 xchg %ax,%ax 8048388: 66 90 xchg %ax,%ax 804838a: 66 90 xchg %ax,%ax 804838c: 66 90 xchg %ax,%ax 804838e: 66 90 xchg %ax,%ax 08048390 <deregister_tm_clones>: 8048390: b8 2f a0 04 08 mov $0x804a02f,%eax 8048395: 2d 2c a0 04 08 sub $0x804a02c,%eax 804839a: 83 f8 06 cmp $0x6,%eax 804839d: 76 1a jbe 80483b9 <deregister_tm_clones+0x29> 804839f: b8 00 00 00 00 mov $0x0,%eax 80483a4: 85 c0 test %eax,%eax 80483a6: 74 11 je 80483b9 <deregister_tm_clones+0x29> 80483a8: 55 push %ebp 80483a9: 89 e5 mov %esp,%ebp 80483ab: 83 ec 14 sub $0x14,%esp 80483ae: 68 2c a0 04 08 push $0x804a02c 80483b3: ff d0 call *%eax 80483b5: 83 c4 10 add $0x10,%esp 80483b8: c9 leave 80483b9: f3 c3 repz ret 80483bb: 90 nop 80483bc: 8d 74 26 00 lea 0x0(%esi,%eiz,1),%esi 080483c0 <register_tm_clones>: 80483c0: b8 2c a0 04 08 mov $0x804a02c,%eax 80483c5: 2d 2c a0 04 08 sub $0x804a02c,%eax 80483ca: c1 f8 02 sar $0x2,%eax 80483cd: 89 c2 mov %eax,%edx 80483cf: c1 ea 1f shr $0x1f,%edx 80483d2: 01 d0 add %edx,%eax 80483d4: d1 f8 sar %eax 80483d6: 74 1b je 80483f3 <register_tm_clones+0x33> 80483d8: ba 00 00 00 00 mov $0x0,%edx 80483dd: 85 d2 test %edx,%edx 80483df: 74 12 je 80483f3 <register_tm_clones+0x33> 80483e1: 55 push %ebp 80483e2: 89 e5 mov %esp,%ebp 80483e4: 83 ec 10 sub $0x10,%esp 80483e7: 50 push %eax 80483e8: 68 2c a0 04 08 push $0x804a02c 80483ed: ff d2 call *%edx 80483ef: 83 c4 10 add $0x10,%esp 80483f2: c9 leave 80483f3: f3 c3 repz ret 80483f5: 8d 74 26 00 lea 0x0(%esi,%eiz,1),%esi 80483f9: 8d bc 27 00 00 00 00 lea 0x0(%edi,%eiz,1),%edi 08048400 <__do_global_dtors_aux>: 8048400: 80 3d 2c a0 04 08 00 cmpb $0x0,0x804a02c 8048407: 75 13 jne 804841c <__do_global_dtors_aux+0x1c> 8048409: 55 push %ebp 804840a: 89 e5 mov %esp,%ebp 804840c: 83 ec 08 sub $0x8,%esp 804840f: e8 7c ff ff ff call 8048390 <deregister_tm_clones> 8048414: c6 05 2c a0 04 08 01 movb $0x1,0x804a02c 804841b: c9 leave 804841c: f3 c3 repz ret 804841e: 66 90 xchg %ax,%ax 08048420 <frame_dummy>: 8048420: b8 10 9f 04 08 mov $0x8049f10,%eax 8048425: 8b 10 mov (%eax),%edx 8048427: 85 d2 test %edx,%edx 8048429: 75 05 jne 8048430 <frame_dummy+0x10> 804842b: eb 93 jmp 80483c0 <register_tm_clones> 804842d: 8d 76 00 lea 0x0(%esi),%esi 8048430: ba 00 00 00 00 mov $0x0,%edx 8048435: 85 d2 test %edx,%edx 8048437: 74 f2 je 804842b <frame_dummy+0xb> 8048439: 55 push %ebp 804843a: 89 e5 mov %esp,%ebp 804843c: 83 ec 14 sub $0x14,%esp 804843f: 50 push %eax 8048440: ff d2 call *%edx 8048442: 83 c4 10 add $0x10,%esp 8048445: c9 leave 8048446: e9 75 ff ff ff jmp 80483c0 <register_tm_clones> 0804844b <vulnerable_function>: 804844b: 55 push %ebp 804844c: 89 e5 mov %esp,%ebp 804844e: 81 ec 88 00 00 00 sub $0x88,%esp 8048454: 83 ec 0c sub $0xc,%esp 8048457: 68 40 85 04 08 push $0x8048540 804845c: e8 bf fe ff ff call 8048320 <system@plt> 8048461: 83 c4 10 add $0x10,%esp 8048464: 83 ec 04 sub $0x4,%esp 8048467: 68 00 01 00 00 push $0x100 804846c: 8d 85 78 ff ff ff lea -0x88(%ebp),%eax 8048472: 50 push %eax 8048473: 6a 00 push $0x0 8048475: e8 96 fe ff ff call 8048310 <read@plt> 804847a: 83 c4 10 add $0x10,%esp 804847d: 90 nop 804847e: c9 leave 804847f: c3 ret 08048480 <main>: 8048480: 8d 4c 24 04 lea 0x4(%esp),%ecx 8048484: 83 e4 f0 and $0xfffffff0,%esp 8048487: ff 71 fc pushl -0x4(%ecx) 804848a: 55 push %ebp 804848b: 89 e5 mov %esp,%ebp 804848d: 51 push %ecx 804848e: 83 ec 04 sub $0x4,%esp 8048491: e8 b5 ff ff ff call 804844b <vulnerable_function> 8048496: 83 ec 0c sub $0xc,%esp 8048499: 68 4c 85 04 08 push $0x804854c 804849e: e8 7d fe ff ff call 8048320 <system@plt> 80484a3: 83 c4 10 add $0x10,%esp 80484a6: b8 00 00 00 00 mov $0x0,%eax 80484ab: 8b 4d fc mov -0x4(%ebp),%ecx 80484ae: c9 leave 80484af: 8d 61 fc lea -0x4(%ecx),%esp 80484b2: c3 ret 80484b3: 66 90 xchg %ax,%ax 80484b5: 66 90 xchg %ax,%ax 80484b7: 66 90 xchg %ax,%ax 80484b9: 66 90 xchg %ax,%ax 80484bb: 66 90 xchg %ax,%ax 80484bd: 66 90 xchg %ax,%ax 80484bf: 90 nop 080484c0 <__libc_csu_init>: 80484c0: 55 push %ebp 80484c1: 57 push %edi 80484c2: 31 ff xor %edi,%edi 80484c4: 56 push %esi 80484c5: 53 push %ebx 80484c6: e8 b5 fe ff ff call 8048380 <__x86.get_pc_thunk.bx> 80484cb: 81 c3 35 1b 00 00 add $0x1b35,%ebx 80484d1: 83 ec 0c sub $0xc,%esp 80484d4: 8b 6c 24 20 mov 0x20(%esp),%ebp 80484d8: 8d b3 0c ff ff ff lea -0xf4(%ebx),%esi 80484de: e8 f1 fd ff ff call 80482d4 <_init> 80484e3: 8d 83 08 ff ff ff lea -0xf8(%ebx),%eax 80484e9: 29 c6 sub %eax,%esi 80484eb: c1 fe 02 sar $0x2,%esi 80484ee: 85 f6 test %esi,%esi 80484f0: 74 23 je 8048515 <__libc_csu_init+0x55> 80484f2: 8d b6 00 00 00 00 lea 0x0(%esi),%esi 80484f8: 83 ec 04 sub $0x4,%esp 80484fb: ff 74 24 2c pushl 0x2c(%esp) 80484ff: ff 74 24 2c pushl 0x2c(%esp) 8048503: 55 push %ebp 8048504: ff 94 bb 08 ff ff ff call *-0xf8(%ebx,%edi,4) 804850b: 83 c7 01 add $0x1,%edi 804850e: 83 c4 10 add $0x10,%esp 8048511: 39 f7 cmp %esi,%edi 8048513: 75 e3 jne 80484f8 <__libc_csu_init+0x38> 8048515: 83 c4 0c add $0xc,%esp 8048518: 5b pop %ebx 8048519: 5e pop %esi 804851a: 5f pop %edi 804851b: 5d pop %ebp 804851c: c3 ret 804851d: 8d 76 00 lea 0x0(%esi),%esi 08048520 <__libc_csu_fini>: 8048520: f3 c3 repz ret Disassembly of section .fini: 08048524 <_fini>: 8048524: 53 push %ebx 8048525: 83 ec 08 sub $0x8,%esp 8048528: e8 53 fe ff ff call 8048380 <__x86.get_pc_thunk.bx> 804852d: 81 c3 d3 1a 00 00 add $0x1ad3,%ebx 8048533: 83 c4 08 add $0x8,%esp 8048536: 5b pop %ebx 8048537: c3 ret
0x03 objdump -D 与-d类似,但反汇编test中的所有section
0x04 objdump -h 显示test的Section Header信息
$ objdump -h level
Sections: Idx Name Size VMA LMA File off Algn 0 .interp 00000013 08048154 08048154 00000154 2**0 CONTENTS, ALLOC, LOAD, READONLY, DATA 1 .note.ABI-tag 00000020 08048168 08048168 00000168 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA 2 .note.gnu.build-id 00000024 08048188 08048188 00000188 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA 3 .gnu.hash 00000020 080481ac 080481ac 000001ac 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA 4 .dynsym 00000060 080481cc 080481cc 000001cc 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA 5 .dynstr 00000051 0804822c 0804822c 0000022c 2**0 CONTENTS, ALLOC, LOAD, READONLY, DATA 6 .gnu.version 0000000c 0804827e 0804827e 0000027e 2**1 CONTENTS, ALLOC, LOAD, READONLY, DATA 7 .gnu.version_r 00000020 0804828c 0804828c 0000028c 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA 8 .rel.dyn 00000008 080482ac 080482ac 000002ac 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA 9 .rel.plt 00000020 080482b4 080482b4 000002b4 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA 10 .init 00000023 080482d4 080482d4 000002d4 2**2 CONTENTS, ALLOC, LOAD, READONLY, CODE 11 .plt 00000050 08048300 08048300 00000300 2**4 CONTENTS, ALLOC, LOAD, READONLY, CODE 12 .text 000001d2 08048350 08048350 00000350 2**4 CONTENTS, ALLOC, LOAD, READONLY, CODE 13 .fini 00000014 08048524 08048524 00000524 2**2 CONTENTS, ALLOC, LOAD, READONLY, CODE 14 .rodata 00000028 08048538 08048538 00000538 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA 15 .eh_frame_hdr 00000034 08048560 08048560 00000560 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA 16 .eh_frame 000000ec 08048594 08048594 00000594 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA 17 .init_array 00000004 08049f08 08049f08 00000f08 2**2 CONTENTS, ALLOC, LOAD, DATA 18 .fini_array 00000004 08049f0c 08049f0c 00000f0c 2**2 CONTENTS, ALLOC, LOAD, DATA 19 .jcr 00000004 08049f10 08049f10 00000f10 2**2 CONTENTS, ALLOC, LOAD, DATA 20 .dynamic 000000e8 08049f14 08049f14 00000f14 2**2 CONTENTS, ALLOC, LOAD, DATA 21 .got 00000004 08049ffc 08049ffc 00000ffc 2**2 CONTENTS, ALLOC, LOAD, DATA 22 .got.plt 0000001c 0804a000 0804a000 00001000 2**2 CONTENTS, ALLOC, LOAD, DATA 23 .data 00000010 0804a01c 0804a01c 0000101c 2**2 CONTENTS, ALLOC, LOAD, DATA 24 .bss 00000004 0804a02c 0804a02c 0000102c 2**0 ALLOC 25 .comment 00000052 00000000 00000000 0000102c 2**0 CONTENTS, READONLY
0x05 objdump -x 显示test的全部Header信息
0x06 objdump -s 除了显示test的全部Header信息,还显示他们对应的十六进制文件代
0x07 CTF PWN中主要用到 -d 寻找gadgets进行rop,-h 确定.bss段位置
.