如何从gdb读取fread值

时间:2017-03-12 16:27:32

标签: c assembly gdb decompiling

我有一个我反编译的C文件(没有源代码),它读取两个文件并比较它是否具有相同的内容。我想在gdb中读取data2的值,我已经尝试了

(gdb)x/s 0x08048591
0x8048591 <main+52>:    "\215E\327\211\004$\350t\376\377\377\211E\370\203", <incomplete sequence \370>

上下文:

int main(int argc, char ** argv) {
    struct _IO_FILE * stream = popen("/bin/cat ~/.flag", "r"); // 0x8048572
    int32_t data;
    if (fread((char *)&data, 1, 32, stream) == 0) {
        // 0x80485a5
        perror("fread");
        // branch -> 0x8048682
        // 0x8048682
        return 1;
    }
    struct _IO_FILE * file = fopen("/var/level01/.flag", "r"); // 0x80485d5
    int32_t result; // 0x8048591_06
    int32_t data2;
    if (fread((char *)&data2, 1, 32, file) == 0) {
        // 0x8048608
        perror("fread");
        result = 1;
        // branch -> 0x8048682
    } else {
        // 0x804861b
        if (strcmp((char *)&data, (char *)&data2) == 0) {
            // 0x804863c
            execl("/bin/sh", "/bin/sh");
            // branch -> 0x8048658
        }
        // 0x8048658
        fwrite("Wrong password!\n", 1, 16, g1);
        result = 0;
        // branch -> 0x8048682
    }
    // 0x8048682
    return result;
}

我不完全确定在哪里阅读以及如何在gdb中输出此内容,我们对此表示赞赏。

编辑:

   0x0804855d <+0>: push   %ebp
   0x0804855e <+1>: mov    %esp,%ebp
   0x08048560 <+3>: sub    $0x5c,%esp
   0x08048563 <+6>: movl   $0x8048720,0x4(%esp)
   0x0804856b <+14>:    movl   $0x8048722,(%esp)
   0x08048572 <+21>:    call   0x80483e0 <popen@plt>
   0x08048577 <+26>:    mov    %eax,-0x4(%ebp)
   0x0804857a <+29>:    mov    -0x4(%ebp),%eax
   0x0804857d <+32>:    mov    %eax,0xc(%esp)
   0x08048581 <+36>:    movl   $0x20,0x8(%esp)
   0x08048589 <+44>:    movl   $0x1,0x4(%esp)
   0x08048591 <+52>:    lea    -0x29(%ebp),%eax
   0x08048594 <+55>:    mov    %eax,(%esp)
   0x08048597 <+58>:    call   0x8048410 <fread@plt>
   0x0804859c <+63>:    mov    %eax,-0x8(%ebp)
   0x0804859f <+66>:    cmpl   $0x0,-0x8(%ebp)
   0x080485a3 <+70>:    jne    0x80485bb <main+94>
   0x080485a5 <+72>:    movl   $0x8048735,(%esp)
   0x080485ac <+79>:    call   0x80483f0 <perror@plt>
   0x080485b1 <+84>:    mov    $0x1,%eax
   0x080485b6 <+89>:    jmp    0x8048682 <main+293>
   0x080485bb <+94>:    lea    -0x29(%ebp),%edx
   0x080485be <+97>:    mov    -0x8(%ebp),%eax
   0x080485c1 <+100>:   add    %edx,%eax
   0x080485c3 <+102>:   movb   $0x0,(%eax)
   0x080485c6 <+105>:   movl   $0x8048720,0x4(%esp)
   0x080485ce <+113>:   movl   $0x804873b,(%esp)
   0x080485d5 <+120>:   call   0x8048440 <fopen@plt>
   0x080485da <+125>:   mov    %eax,-0x4(%ebp)
   0x080485dd <+128>:   mov    -0x4(%ebp),%eax
   0x080485e0 <+131>:   mov    %eax,0xc(%esp)
   0x080485e4 <+135>:   movl   $0x20,0x8(%esp)
   0x080485ec <+143>:   movl   $0x1,0x4(%esp)
   0x080485f4 <+151>:   lea    -0x4a(%ebp),%eax
   0x080485f7 <+154>:   mov    %eax,(%esp)
   0x080485fa <+157>:   call   0x8048410 <fread@plt>
   0x080485ff <+162>:   mov    %eax,-0x8(%ebp)
   0x08048602 <+165>:   cmpl   $0x0,-0x8(%ebp)
   0x08048606 <+169>:   jne    0x804861b <main+190>
   0x08048608 <+171>:   movl   $0x8048735,(%esp)
---Type <return> to continue, or q <return> to quit---
   0x0804860f <+178>:   call   0x80483f0 <perror@plt>
   0x08048614 <+183>:   mov    $0x1,%eax
   0x08048619 <+188>:   jmp    0x8048682 <main+293>
   0x0804861b <+190>:   lea    -0x4a(%ebp),%edx
   0x0804861e <+193>:   mov    -0x8(%ebp),%eax
   0x08048621 <+196>:   add    %edx,%eax
   0x08048623 <+198>:   movb   $0x0,(%eax)
   0x08048626 <+201>:   lea    -0x4a(%ebp),%eax
   0x08048629 <+204>:   mov    %eax,0x4(%esp)
   0x0804862d <+208>:   lea    -0x29(%ebp),%eax
   0x08048630 <+211>:   mov    %eax,(%esp)
   0x08048633 <+214>:   call   0x80483d0 <strcmp@plt>
   0x08048638 <+219>:   test   %eax,%eax
   0x0804863a <+221>:   jne    0x8048658 <main+251>
   0x0804863c <+223>:   movl   $0x0,0x8(%esp)
   0x08048644 <+231>:   movl   $0x8048759,0x4(%esp)
   0x0804864c <+239>:   movl   $0x8048759,(%esp)
   0x08048653 <+246>:   call   0x8048450 <execl@plt>
   0x08048658 <+251>:   mov    0x8049980,%eax
   0x0804865d <+256>:   mov    %eax,0xc(%esp)
   0x08048661 <+260>:   movl   $0x10,0x8(%esp)
   0x08048669 <+268>:   movl   $0x1,0x4(%esp)
   0x08048671 <+276>:   movl   $0x8048761,(%esp)
   0x08048678 <+283>:   call   0x8048400 <fwrite@plt>
   0x0804867d <+288>:   mov    $0x0,%eax
   0x08048682 <+293>:   leave  
   0x08048683 <+294>:   ret    
End of assembler dump.

1 个答案:

答案 0 :(得分:2)

  

我已反编译,

你很可能犯了一个错误。如果这是正确的反编译:

int32_t data;
if (fread((char *)&data, 1, 32, stream) == 0) {

那么程序会对堆栈溢出“有罪”(fread尝试读取32个字节,但是你只提供了32个位的空间(即只有4个字节))

正确的反编译更可能是:

char data[32];
if (fread(data, 1, 32, stream) == 0) {
  

我想在gdb中读取data2的值,我试过了    (gdb)x/s 0x08048591

正如GDB向您展示的那样,地址0x08048591位于main内,是代码的一部分。

您想要检查程序的数据(或堆栈),为此您需要在正确的地址上使用x/s

不幸的是,您没有提供程序的实际程序集,因此我们无法告诉您正确的地址应该是什么。

<强>更新

第二个fread的反汇编是:

0x080485f4 <+151>:   lea    -0x4a(%ebp),%eax
0x080485f7 <+154>:   mov    %eax,(%esp)
0x080485fa <+157>:   call   0x8048410 <fread@plt>

这告诉我们数据实际上是在堆栈上,并查看将使用的数据:

x/s $ebp-0x4a

0x08048602处的指示处停止(即在fread返回后)。