1 / 8

ELF binary

ELF binary. # readelf -a foo.out ELF Header: Magic : 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 Class: ELF32 Data: 2's complement, little endian Version: 1 (current)

leonard-gibson
Télécharger la présentation

ELF binary

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ELF binary # readelf -a foo.out ELF Header: Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 Class: ELF32 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: EXEC (Executable file) Machine: Intel 80386 Version: 0x1 Entry point address: 0x8048720 Start of program headers: 52 (bytes into file) Start of section headers: 3744 (bytes into file) Flags: 0x0 Size of this header: 52 (bytes) Size of program headers: 32 (bytes) Number of program headers: 8 Size of section headers: 40 (bytes) Number of section headers: 32 Section header string table index: 29 Dynamic section at offset 0xbfc contains 28 entries: Tag Type Name/Value 0x00000001 (NEEDED) Shared library: [libstdc++.so.6] 0x00000001 (NEEDED) Shared library: [libm.so.6] 0x00000001 (NEEDED) Shared library: [libgcc_s.so.1] 0x00000001 (NEEDED) Shared library: [libc.so.6] Symbol table '.dynsym' contains 18 entries: Num: Value Size Type Bind Vis Ndx Name 0: 00000000 0 NOTYPE LOCAL DEFAULT UND 1: 00000000 0 FUNC GLOBAL DEFAULT UND open@GLIBC_2.0 (2) 2: 00000000 0 FUNC GLOBAL DEFAULT UND __cxa_atexit@GLIBC_2.1.3 (3) 3: 00000000 0 NOTYPE WEAK DEFAULT UND __gmon_start__ 4: 00000000 0 NOTYPE WEAK DEFAULT UND _Jv_RegisterClasses

  2. Print Me echo "set disassembly-flavor intel" > ~/.gdbinit (gdb) disassemble /rm main Dump of assembler code for function main(int, char**): 2 int main(intargc, char *argv[]) { 0x080483e4 <+0>: 55 push ebp 0x080483e5 <+1>: 89 e5 movebp,esp 0x080483e7 <+3>: 83e4 f0 andesp,0xfffffff0 0x080483ea <+6>: 83ec 10 subesp,0x10 3 printf(argv[1]); 0x080483ed <+9>: 8b 45 0c moveax,DWORD PTR [ebp+0xc] 0x080483f0 <+12>: 83 c0 04 add eax,0x4 0x080483f3 <+15>: 8b 00 moveax,DWORD PTR [eax] 0x080483f5 <+17>: 89 04 24 movDWORD PTR [esp],eax 0x080483f8 <+20>: e8 03 ffffff call 0x8048300 <printf@plt> 0x080483fd <+25>: b8 00 00 00 00 moveax,0x0 4 } 0x08048402 <+30>: c9 leave 0x08048403 <+31>: c3 ret End of assembler dump.

  3. Hello World! - assembly ; from Hacking: The art of Exploitation by Jon Erickson BITS 32 callmark_below ; instructions below db "Hello, world!", 0x0a, 0x0d ; add newline/cr to end mark_below: popecx ; pop the return address into ecx ;; this should be the string ptr moveax, 4 ; write system call #4 (write) movebx, 1 ; STDOUT file descriptor movedx, 15 ; the length of the string int 0x80 ; do syscall: write(1,string,15) ;; exit properly moveax, 1 ; syscall #1 (exit) movebx, 0 ; status result = 0 int 0x80 ; do syscall: exit(0)

  4. Hello World! - assembly ; from Hacking: The art of Exploitation by Jon Erickson BITS 32 callmark_below ; instructions below db "Hello, world!", 0x0a, 0x0d ; add newline mark_below: popecx ; pop the return … ecx ;; this should be the string ptr moveax, 4 ; write system call #4 (write) movebx, 1 ; STDOUT file descriptor movedx, 15 ; the length of the string int 0x80 ; do syscall: write(1,string,15?) ;; exit properly moveax, 1 ; syscall #1 (exit) movebx, 0 ; status result = 0 int 0x80 ; do syscall: exit(0) $ ndisasm–b 32 hello 00000000 E80F000000 call dword 0x14 00000005 48 deceax 00000006 656C gsinsb 00000008 6C insb 00000009 6F outsd 0000000A 2C20 sub al,0x20 0000000C 776F ja 0x7d 0000000E 726C jc 0x7c 00000010 64210A and [fs:edx],ecx 00000013 0D59B80400 or eax,0x4b859 00000018 0000 add [eax],al 0000001A BB01000000 mov ebx,0x1 0000001F BA0F000000 mov edx,0xf 00000024 CD80 int 0x80 00000026 B801000000 mov eax,0x1 0000002B BB00000000 mov ebx,0x0 00000030 CD80 int 0x80

  5. Reversing

  6. (gdb) disassemble /m main Dump of assembler code for function main(): 4 int main() { 0x0804848c <+0>: push ebp 0x0804848d <+1>: movebp,esp 0x0804848f <+3>: sub esp,0x10 5 int count; 6 7 y=y+3; 0x08048492 <+6>: mov eax,ds:0x8049744 0x08048497 <+11>: add eax,0x3 0x0804849a <+14>: mov ds:0x8049744,eax 8 x=x+y; 0x0804849f <+19>: movedx,DWORD PTR ds:0x8049740 0x080484a5 <+25>: mov eax,ds:0x8049744 0x080484aa <+30>: add eax,edx 0x080484ac <+32>: mov ds:0x8049740,eax 9 if (x<y) 0x080484b1 <+37>: movedx,DWORD PTR ds:0x8049740 0x080484b7 <+43>: mov eax,ds:0x8049744 0x080484bc <+48>: cmpedx,eax 0x080484be <+50>: jge 0x80484ca <main()+62> 10 x=1; 0x080484c0 <+52>: mov DWORD PTR ds:0x8049740,0x1 Frame Setup arithmetic if comparison continue if not <

  7. loops local variable - stack 11 12 for (count=1; count<10; count++) 0x080484ca <+62>: mov DWORD PTR [ebp-0x4],0x1 0x080484d1 <+69>: jmp 0x80484e4 <main()+88> 0x080484e0 <+84>: add DWORD PTR [ebp-0x4],0x1 0x080484e4 <+88>: cmp DWORD PTR [ebp-0x4],0x9 0x080484e8 <+92>: setle al 0x080484eb <+95>: test al,al 0x080484ed <+97>: jne 0x80484d3 <main()+71> 13 x++; 0x080484d3 <+71>: mov eax,ds:0x8049740 0x080484d8 <+76>: add eax,0x1 0x080484db <+79>: mov ds:0x8049740,eax 14 } 0x080484ef <+99>: mov eax,0x0 0x080484f4 <+104>: leave // count=1 // count++ // compare count to 9 // al=1 if count<=9 // al & al (set flags) global variable - memory

More Related