当前位置:网站首页>gdb 定位strip后程序的main地址
gdb 定位strip后程序的main地址
2022-07-19 10:07:00 【xiaozhiwise】
去掉符号后的程序,逆向时如何找到main,如下:
/*
* intel(64) main address
*/
1.readelf -h 找到 Entry point address 地址
(gdb) x/20i 0x555555555080
0x555555555080: endbr64
0x555555555084: xor %ebp,%ebp
0x555555555086: mov %rdx,%r9
0x555555555089: pop %rsi
0x55555555508a: mov %rsp,%rdx
0x55555555508d: and $0xfffffffffffffff0,%rsp
0x555555555091: push %rax
0x555555555092: push %rsp
0x555555555093: lea 0x9e6(%rip),%r8 # 0x555555555a80
0x55555555509a: lea 0x96f(%rip),%rcx # 0x555555555a10
=> 0x5555555550a1: lea 0x910(%rip),%rdi # 0x5555555559b8
0x5555555550a8: callq *0x2f32(%rip) # 0x555555557fe0
0x5555555550ae: hlt
0x5555555550af: nop
0x5555555550b0: lea 0x2f59(%rip),%rdi # 0x555555558010
0x5555555550b7: lea 0x2f52(%rip),%rax # 0x555555558010
0x5555555550be: cmp %rdi,%rax
0x5555555550c1: je 0x5555555550d8
0x5555555550c3: mov 0x2f0e(%rip),%rax # 0x555555557fd8
0x5555555550ca: test %rax,%rax
2.rip 取下一条指令的地址,加上断点指令的常数
0x5555555550a8 + 0x910 = 0x5555555559b8 // main address
/*
* intel(32) main address
*/
1.readelf -h 找到 Entry point address 地址
(gdb) x/20i 0x80483c0
80483c0: 31 ed xor %ebp,%ebp
80483c2: 5e pop %esi
80483c3: 89 e1 mov %esp,%ecx
80483c5: 83 e4 f0 and $0xfffffff0,%esp
80483c8: 50 push %eax
80483c9: 54 push %esp
80483ca: 52 push %edx
80483cb: 68 20 8b 04 08 push $0x8048b20
80483d0: 68 b0 8a 04 08 push $0x8048ab0
80483d5: 51 push %ecx
80483d6: 56 push %esi
80483d7: 68 77 8a 04 08 push $0x8048a77
80483dc: e8 cf ff ff ff call 80483b0 <[email protected]>
80483e1: f4 hlt
80483e2: 66 90 xchg %ax,%ax
80483e4: 66 90 xchg %ax,%ax
80483e6: 66 90 xchg %ax,%ax
80483e8: 66 90 xchg %ax,%ax
80483ea: 66 90 xchg %ax,%ax
80483ec: 66 90 xchg %ax,%ax
80483ee: 66 90 xchg %ax,%ax
2.找到最后一个push行
80483d7: 68 77 8a 04 08 push $0x8048a77 // main address
/*
* arm(64) main address
*/
1.readelf -h 找到 Entry point address 地址
(gdb) x/20i 0x400500
400500: d280001d mov x29, #0x0 // #0
400504: d280001e mov x30, #0x0 // #0
400508: aa0003e5 mov x5, x0
40050c: f94003e1 ldr x1, [sp]
400510: 910023e2 add x2, sp, #0x8
400514: 910003e6 mov x6, sp
400518: 580000c0 ldr x0, 400530 <[email protected]+0x40>
40051c: 580000e3 ldr x3, 400538 <[email protected]+0x48>
400520: 58000104 ldr x4, 400540 <[email protected]+0x50>
400524: 97ffffe7 bl 4004c0 <[email protected]>
400528: 97ffffee bl 4004e0 <[email protected]>
40052c: 00000000 .inst 0x00000000 ; undefined
400530: 00400c48 .inst 0x00400c48 ; undefined
400534: 00000000 .inst 0x00000000 ; undefined
400538: 00400c80 .inst 0x00400c80 ; undefined
40053c: 00000000 .inst 0x00000000 ; undefined
400540: 00400d00 .inst 0x00400d00 ; undefined
400544: 00000000 .inst 0x00000000 ; undefined
2.找到第二条变量定义行
400530: 00400c48 .word 0x00400c48 // main address
/*
* arm(32) main address
*/
arm 32bit 的程序 strip 后汇编指令完全是另一番景象,虽然地址与没有strip之前能对上,但指令已经面目全飞。看来碰到这种程序需要逆向的时候,找个main都很难。
边栏推荐
猜你喜欢
Experiment 4 OSPF experiment in mGRE environment
Use onedns to perfectly solve the optimization problem of office network
实验3 MGRE 综合实验
从工程师到技术leader思维升级
Automatic metallic surface defect detection and recognition with revolutionary neuralnetworks
动态内存管理
如何防止订单重复支付?
提升开发效率的“轮子”
Pytorch3d reference tutorial
【ManageEngine】SIEM为企业带来的价值
随机推荐
OSPF of hcip
It costs millions of dollars to track the mobile location of people at home and abroad without authorization
Cloud native (36) | introduction and installation of harbor in kubernetes
《暑假每日一题》Week 6:7.11 - 7.17
vivo官网APP全机型UI适配方案
Thoughts on a decoration contract
如何防止订单重复支付?
OSPF的优化----汇总及特殊区域
C# LeetCode刷题笔记3-.统计匹配检索规则的物品数量
OSPF optimization - summary and special areas
Introduction to gateway
如何用PHP解决高并发与大流量问题
OSPF-LSA
Panda3D绘制立方体
View files in different branches without switching branches
【Kingbase】数据类型格式化函数
How to carry out "small step reconstruction"?
h5实现一个刮刮卡的动画效果
Pytorch3d reference tutorial
上课笔记(4)(1)——#571. 货币系统