我收到了一个可执行文件,要求输入密码。找到隐藏密码的唯一方法是使用gdb和trace x86。我尝试在不同的点设置断点并查看寄存器的值,但我无法弄清楚如何找到密码。这也很难,因为没有主要方法。附带的x86非常长,但我觉得很多都是不必要的。任何帮助,将不胜感激。我只是不知道从哪里开始。感谢。
Disassembly of section .init:
080482f8 <.init>:
80482f8: 55 push %ebp
80482f9: 89 e5 mov %esp,%ebp
80482fb: 53 push %ebx
80482fc: 83 ec 04 sub $0x4,%esp
80482ff: e8 00 00 00 00 call 8048304 <getchar@plt-0x34>
8048304: 5b pop %ebx
8048305: 81 c3 b0 14 00 00 add $0x14b0,%ebx
804830b: 8b 93 fc ff ff ff mov -0x4(%ebx),%edx
8048311: 85 d2 test %edx,%edx
8048313: 74 05 je 804831a <getchar@plt-0x1e>
8048315: e8 2e 00 00 00 call 8048348 <__gmon_start__@plt>
804831a: e8 11 01 00 00 call 8048430 <tolower@plt+0xa8>
804831f: e8 6c 02 00 00 call 8048590 <tolower@plt+0x208>
8048324: 58 pop %eax
8048325: 5b pop %ebx
8048326: c9 leave
8048327: c3 ret
Disassembly of section .plt:
08048328 <getchar@plt-0x10>:
8048328: ff 35 b8 97 04 08 pushl 0x80497b8
804832e: ff 25 bc 97 04 08 jmp *0x80497bc
8048334: 00 00 add %al,(%eax)
...
08048338 <getchar@plt>:
8048338: ff 25 c0 97 04 08 jmp *0x80497c0
804833e: 68 00 00 00 00 push $0x0
8048343: e9 e0 ff ff ff jmp 8048328 <getchar@plt-0x10>
08048348 <__gmon_start__@plt>:
8048348: ff 25 c4 97 04 08 jmp *0x80497c4
804834e: 68 08 00 00 00 push $0x8
8048353: e9 d0 ff ff ff jmp 8048328 <getchar@plt-0x10>
08048358 <__libc_start_main@plt>:
8048358: ff 25 c8 97 04 08 jmp *0x80497c8
804835e: 68 10 00 00 00 push $0x10
8048363: e9 c0 ff ff ff jmp 8048328 <getchar@plt-0x10>
08048368 <printf@plt>:
8048368: ff 25 cc 97 04 08 jmp *0x80497cc
804836e: 68 18 00 00 00 push $0x18
8048373: e9 b0 ff ff ff jmp 8048328 <getchar@plt-0x10>
08048378 <puts@plt>:
8048378: ff 25 d0 97 04 08 jmp *0x80497d0
804837e: 68 20 00 00 00 push $0x20
8048383: e9 a0 ff ff ff jmp 8048328 <getchar@plt-0x10>
08048388 <tolower@plt>:
8048388: ff 25 d4 97 04 08 jmp *0x80497d4
804838e: 68 28 00 00 00 push $0x28
8048393: e9 90 ff ff ff jmp 8048328 <getchar@plt-0x10>
Disassembly of section .text:
080483a0 <.text>:
80483a0: 31 ed xor %ebp,%ebp
80483a2: 5e pop %esi
80483a3: 89 e1 mov %esp,%ecx
80483a5: 83 e4 f0 and $0xfffffff0,%esp
80483a8: 50 push %eax
80483a9: 54 push %esp
80483aa: 52 push %edx
80483ab: 68 20 85 04 08 push $0x8048520
80483b0: 68 30 85 04 08 push $0x8048530
80483b5: 51 push %ecx
80483b6: 56 push %esi
80483b7: 68 0e 85 04 08 push $0x804850e
80483bc: e8 97 ff ff ff call 8048358 <__libc_start_main@plt>
80483c1: f4 hlt
80483c2: 90 nop
80483c3: 90 nop
80483c4: 90 nop
80483c5: 90 nop
80483c6: 90 nop
80483c7: 90 nop
80483c8: 90 nop
80483c9: 90 nop
80483ca: 90 nop
80483cb: 90 nop
80483cc: 90 nop
80483cd: 90 nop
80483ce: 90 nop
80483cf: 90 nop
80483d0: 55 push %ebp
80483d1: 89 e5 mov %esp,%ebp
80483d3: 53 push %ebx
80483d4: 83 ec 04 sub $0x4,%esp
80483d7: 80 3d dc 97 04 08 00 cmpb $0x0,0x80497dc
80483de: 75 3f jne 804841f <tolower@plt+0x97>
80483e0: a1 e0 97 04 08 mov 0x80497e0,%eax
80483e5: bb e0 96 04 08 mov $0x80496e0,%ebx
80483ea: 81 eb dc 96 04 08 sub $0x80496dc,%ebx
80483f0: c1 fb 02 sar $0x2,%ebx
80483f3: 83 eb 01 sub $0x1,%ebx
80483f6: 39 d8 cmp %ebx,%eax
80483f8: 73 1e jae 8048418 <tolower@plt+0x90>
80483fa: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
8048400: 83 c0 01 add $0x1,%eax
8048403: a3 e0 97 04 08 mov %eax,0x80497e0
8048408: ff 14 85 dc 96 04 08 call *0x80496dc(,%eax,4)
804840f: a1 e0 97 04 08 mov 0x80497e0,%eax
8048414: 39 d8 cmp %ebx,%eax
8048416: 72 e8 jb 8048400 <tolower@plt+0x78>
8048418: c6 05 dc 97 04 08 01 movb $0x1,0x80497dc
804841f: 83 c4 04 add $0x4,%esp
8048422: 5b pop %ebx
8048423: 5d pop %ebp
8048424: c3 ret
8048425: 8d 74 26 00 lea 0x0(%esi,%eiz,1),%esi
8048429: 8d bc 27 00 00 00 00 lea 0x0(%edi,%eiz,1),%edi
8048430: 55 push %ebp
8048431: 89 e5 mov %esp,%ebp
8048433: 83 ec 18 sub $0x18,%esp
8048436: a1 e4 96 04 08 mov 0x80496e4,%eax
804843b: 85 c0 test %eax,%eax
804843d: 74 12 je 8048451 <tolower@plt+0xc9>
804843f: b8 00 00 00 00 mov $0x0,%eax
8048444: 85 c0 test %eax,%eax
8048446: 74 09 je 8048451 <tolower@plt+0xc9>
8048448: c7 04 24 e4 96 04 08 movl $0x80496e4,(%esp)
804844f: ff d0 call *%eax
8048451: c9 leave
8048452: c3 ret
8048453: 90 nop
8048454: 55 push %ebp
8048455: 89 e5 mov %esp,%ebp
8048457: 53 push %ebx
8048458: 83 ec 34 sub $0x34,%esp
804845b: c7 45 f0 00 00 00 00 movl $0x0,-0x10(%ebp)
8048462: c7 45 f4 00 00 00 00 movl $0x0,-0xc(%ebp)
8048469: eb 10 jmp 804847b <tolower@plt+0xf3>
804846b: 8b 5d f4 mov -0xc(%ebp),%ebx
804846e: e8 c5 fe ff ff call 8048338 <getchar@plt>
8048473: 88 44 1d e5 mov %al,-0x1b(%ebp,%ebx,1)
8048477: 83 45 f4 01 addl $0x1,-0xc(%ebp)
804847b: 83 7d f4 09 cmpl $0x9,-0xc(%ebp)
804847f: 7e ea jle 804846b <tolower@plt+0xe3>
8048481: 8b 45 f4 mov -0xc(%ebp),%eax
8048484: c6 44 05 e5 00 movb $0x0,-0x1b(%ebp,%eax,1)
8048489: c7 45 f4 01 00 00 00 movl $0x1,-0xc(%ebp)
8048490: eb 27 jmp 80484b9 <tolower@plt+0x131>
8048492: 8b 45 f4 mov -0xc(%ebp),%eax
8048495: 83 e8 01 sub $0x1,%eax
8048498: 0f b6 44 05 e5 movzbl -0x1b(%ebp,%eax,1),%eax
804849d: 0f be c0 movsbl %al,%eax
80484a0: 89 04 24 mov %eax,(%esp)
80484a3: e8 e0 fe ff ff call 8048388 <tolower@plt>
80484a8: 83 e8 31 sub $0x31,%eax
80484ab: 83 f8 04 cmp $0x4,%eax
80484ae: 77 05 ja 80484b5 <tolower@plt+0x12d>
80484b0: 83 45 f0 01 addl $0x1,-0x10(%ebp)
80484b4: 90 nop
80484b5: 83 45 f4 01 addl $0x1,-0xc(%ebp)
80484b9: 83 7d f4 0a cmpl $0xa,-0xc(%ebp)
80484bd: 7e d3 jle 8048492 <tolower@plt+0x10a>
80484bf: 83 7d f0 0a cmpl $0xa,-0x10(%ebp)
80484c3: 75 16 jne 80484db <tolower@plt+0x153>
80484c5: b8 e4 85 04 08 mov $0x80485e4,%eax
80484ca: 8d 55 e5 lea -0x1b(%ebp),%edx
80484cd: 89 54 24 04 mov %edx,0x4(%esp)
80484d1: 89 04 24 mov %eax,(%esp)
80484d4: e8 8f fe ff ff call 8048368 <printf@plt>
80484d9: eb 0c jmp 80484e7 <tolower@plt+0x15f>
80484db: c7 04 24 12 86 04 08 movl $0x8048612,(%esp)
80484e2: e8 91 fe ff ff call 8048378 <puts@plt>
80484e7: 83 c4 34 add $0x34,%esp
80484ea: 5b pop %ebx
80484eb: 5d pop %ebp
80484ec: c3 ret
80484ed: 55 push %ebp
80484ee: 89 e5 mov %esp,%ebp
80484f0: 83 ec 08 sub $0x8,%esp
80484f3: e8 5c ff ff ff call 8048454 <tolower@plt+0xcc>
80484f8: c9 leave
80484f9: c3 ret
80484fa: 55 push %ebp
80484fb: 89 e5 mov %esp,%ebp
80484fd: 83 ec 18 sub $0x18,%esp
8048500: c7 45 f4 26 86 04 08 movl $0x8048626,-0xc(%ebp)
8048507: e8 e1 ff ff ff call 80484ed <tolower@plt+0x165>
804850c: c9 leave
804850d: c3 ret
804850e: 55 push %ebp
804850f: 89 e5 mov %esp,%ebp
8048511: 83 e4 f0 and $0xfffffff0,%esp
8048514: e8 e1 ff ff ff call 80484fa <tolower@plt+0x172>
8048519: 89 ec mov %ebp,%esp
804851b: 5d pop %ebp
804851c: c3 ret
804851d: 90 nop
804851e: 90 nop
804851f: 90 nop
8048520: 55 push %ebp
8048521: 89 e5 mov %esp,%ebp
8048523: 5d pop %ebp
8048524: c3 ret
8048525: 66 66 2e 0f 1f 84 00 data32 nopw %cs:0x0(%eax,%eax,1)
804852c: 00 00 00 00
8048530: 55 push %ebp
8048531: 89 e5 mov %esp,%ebp
8048533: 57 push %edi
8048534: 56 push %esi
8048535: 53 push %ebx
8048536: e8 4f 00 00 00 call 804858a <tolower@plt+0x202>
804853b: 81 c3 79 12 00 00 add $0x1279,%ebx
8048541: 83 ec 1c sub $0x1c,%esp
8048544: e8 af fd ff ff call 80482f8 <getchar@plt-0x40>
8048549: 8d bb 20 ff ff ff lea -0xe0(%ebx),%edi
804854f: 8d 83 20 ff ff ff lea -0xe0(%ebx),%eax
8048555: 29 c7 sub %eax,%edi
8048557: c1 ff 02 sar $0x2,%edi
804855a: 85 ff test %edi,%edi
804855c: 74 24 je 8048582 <tolower@plt+0x1fa>
804855e: 31 f6 xor %esi,%esi
8048560: 8b 45 10 mov 0x10(%ebp),%eax
8048563: 89 44 24 08 mov %eax,0x8(%esp)
8048567: 8b 45 0c mov 0xc(%ebp),%eax
804856a: 89 44 24 04 mov %eax,0x4(%esp)
804856e: 8b 45 08 mov 0x8(%ebp),%eax
8048571: 89 04 24 mov %eax,(%esp)
8048574: ff 94 b3 20 ff ff ff call *-0xe0(%ebx,%esi,4)
804857b: 83 c6 01 add $0x1,%esi
804857e: 39 fe cmp %edi,%esi
8048580: 72 de jb 8048560 <tolower@plt+0x1d8>
8048582: 83 c4 1c add $0x1c,%esp
8048585: 5b pop %ebx
8048586: 5e pop %esi
8048587: 5f pop %edi
8048588: 5d pop %ebp
8048589: c3 ret
804858a: 8b 1c 24 mov (%esp),%ebx
804858d: c3 ret
804858e: 90 nop
804858f: 90 nop
8048590: 55 push %ebp
8048591: 89 e5 mov %esp,%ebp
8048593: 53 push %ebx
8048594: 83 ec 04 sub $0x4,%esp
8048597: a1 d4 96 04 08 mov 0x80496d4,%eax
804859c: 83 f8 ff cmp $0xffffffff,%eax
804859f: 74 13 je 80485b4 <tolower@plt+0x22c>
80485a1: bb d4 96 04 08 mov $0x80496d4,%ebx
80485a6: 66 90 xchg %ax,%ax
80485a8: 83 eb 04 sub $0x4,%ebx
80485ab: ff d0 call *%eax
80485ad: 8b 03 mov (%ebx),%eax
80485af: 83 f8 ff cmp $0xffffffff,%eax
80485b2: 75 f4 jne 80485a8 <tolower@plt+0x220>
80485b4: 83 c4 04 add $0x4,%esp
80485b7: 5b pop %ebx
80485b8: 5d pop %ebp
80485b9: c3 ret
80485ba: 90 nop
80485bb: 90 nop
Disassembly of section .fini:
080485bc <.fini>:
80485bc: 55 push %ebp
80485bd: 89 e5 mov %esp,%ebp
80485bf: 53 push %ebx
80485c0: 83 ec 04 sub $0x4,%esp
80485c3: e8 00 00 00 00 call 80485c8 <tolower@plt+0x240>
80485c8: 5b pop %ebx
80485c9: 81 c3 ec 11 00 00 add $0x11ec,%ebx
80485cf: e8 fc fd ff ff call 80483d0 <tolower@plt+0x48>
80485d4: 59 pop %ecx
80485d5: 5b pop %ebx
80485d6: c9 leave
80485d7: c3 ret
答案 0 :(得分:0)
看起来这是用-O0编译的,因为它是高度冗余的并且将所有内容保存在内存中。
您可以更轻松地使用反汇编程序将标签放在分支目标上,这样您就可以看到执行何时可以从其他地方跳转到一段代码,以及(或代替)从早先的指示。 Agner Fog的objconv反汇编程序就是这样做的。
8048490 jmp 80484b9 <tolower@plt+0x131>是getchar循环的最后一条指令(循环固定10次)。
接下来是一个循环,从-0x1b(%ebp,%eax,1)一次加载一个字符,并且
# eax = tolower(str[i])
sub $0x31,%eax # subtract '1'
cmp $0x4,%eax
ja 80484b5 # jump over an increment of a counter at -0x10(%ebp)
所以cmpl $0xa,-0x10(%ebp)不是在寻找换行符,而是检查一个计数器,看看是否所有10个字符都在ASCII '1'和'5'之间。