我有一个我反编译的C文件(没有源代码),它读取两个文件并比较它是否具有相同的内容。我想在gdb中读取data2
的值,我已经尝试了
(gdb)x/s 0x08048591
0x8048591 <main+52>: "\215E\327\211\004$\350t\376\377\377\211E\370\203", <incomplete sequence \370>
上下文:
int main(int argc, char ** argv) {
struct _IO_FILE * stream = popen("/bin/cat ~/.flag", "r"); // 0x8048572
int32_t data;
if (fread((char *)&data, 1, 32, stream) == 0) {
// 0x80485a5
perror("fread");
// branch -> 0x8048682
// 0x8048682
return 1;
}
struct _IO_FILE * file = fopen("/var/level01/.flag", "r"); // 0x80485d5
int32_t result; // 0x8048591_06
int32_t data2;
if (fread((char *)&data2, 1, 32, file) == 0) {
// 0x8048608
perror("fread");
result = 1;
// branch -> 0x8048682
} else {
// 0x804861b
if (strcmp((char *)&data, (char *)&data2) == 0) {
// 0x804863c
execl("/bin/sh", "/bin/sh");
// branch -> 0x8048658
}
// 0x8048658
fwrite("Wrong password!\n", 1, 16, g1);
result = 0;
// branch -> 0x8048682
}
// 0x8048682
return result;
}
我不完全确定在哪里阅读以及如何在gdb中输出此内容,我们对此表示赞赏。
编辑:
0x0804855d <+0>: push %ebp
0x0804855e <+1>: mov %esp,%ebp
0x08048560 <+3>: sub $0x5c,%esp
0x08048563 <+6>: movl $0x8048720,0x4(%esp)
0x0804856b <+14>: movl $0x8048722,(%esp)
0x08048572 <+21>: call 0x80483e0 <popen@plt>
0x08048577 <+26>: mov %eax,-0x4(%ebp)
0x0804857a <+29>: mov -0x4(%ebp),%eax
0x0804857d <+32>: mov %eax,0xc(%esp)
0x08048581 <+36>: movl $0x20,0x8(%esp)
0x08048589 <+44>: movl $0x1,0x4(%esp)
0x08048591 <+52>: lea -0x29(%ebp),%eax
0x08048594 <+55>: mov %eax,(%esp)
0x08048597 <+58>: call 0x8048410 <fread@plt>
0x0804859c <+63>: mov %eax,-0x8(%ebp)
0x0804859f <+66>: cmpl $0x0,-0x8(%ebp)
0x080485a3 <+70>: jne 0x80485bb <main+94>
0x080485a5 <+72>: movl $0x8048735,(%esp)
0x080485ac <+79>: call 0x80483f0 <perror@plt>
0x080485b1 <+84>: mov $0x1,%eax
0x080485b6 <+89>: jmp 0x8048682 <main+293>
0x080485bb <+94>: lea -0x29(%ebp),%edx
0x080485be <+97>: mov -0x8(%ebp),%eax
0x080485c1 <+100>: add %edx,%eax
0x080485c3 <+102>: movb $0x0,(%eax)
0x080485c6 <+105>: movl $0x8048720,0x4(%esp)
0x080485ce <+113>: movl $0x804873b,(%esp)
0x080485d5 <+120>: call 0x8048440 <fopen@plt>
0x080485da <+125>: mov %eax,-0x4(%ebp)
0x080485dd <+128>: mov -0x4(%ebp),%eax
0x080485e0 <+131>: mov %eax,0xc(%esp)
0x080485e4 <+135>: movl $0x20,0x8(%esp)
0x080485ec <+143>: movl $0x1,0x4(%esp)
0x080485f4 <+151>: lea -0x4a(%ebp),%eax
0x080485f7 <+154>: mov %eax,(%esp)
0x080485fa <+157>: call 0x8048410 <fread@plt>
0x080485ff <+162>: mov %eax,-0x8(%ebp)
0x08048602 <+165>: cmpl $0x0,-0x8(%ebp)
0x08048606 <+169>: jne 0x804861b <main+190>
0x08048608 <+171>: movl $0x8048735,(%esp)
---Type <return> to continue, or q <return> to quit---
0x0804860f <+178>: call 0x80483f0 <perror@plt>
0x08048614 <+183>: mov $0x1,%eax
0x08048619 <+188>: jmp 0x8048682 <main+293>
0x0804861b <+190>: lea -0x4a(%ebp),%edx
0x0804861e <+193>: mov -0x8(%ebp),%eax
0x08048621 <+196>: add %edx,%eax
0x08048623 <+198>: movb $0x0,(%eax)
0x08048626 <+201>: lea -0x4a(%ebp),%eax
0x08048629 <+204>: mov %eax,0x4(%esp)
0x0804862d <+208>: lea -0x29(%ebp),%eax
0x08048630 <+211>: mov %eax,(%esp)
0x08048633 <+214>: call 0x80483d0 <strcmp@plt>
0x08048638 <+219>: test %eax,%eax
0x0804863a <+221>: jne 0x8048658 <main+251>
0x0804863c <+223>: movl $0x0,0x8(%esp)
0x08048644 <+231>: movl $0x8048759,0x4(%esp)
0x0804864c <+239>: movl $0x8048759,(%esp)
0x08048653 <+246>: call 0x8048450 <execl@plt>
0x08048658 <+251>: mov 0x8049980,%eax
0x0804865d <+256>: mov %eax,0xc(%esp)
0x08048661 <+260>: movl $0x10,0x8(%esp)
0x08048669 <+268>: movl $0x1,0x4(%esp)
0x08048671 <+276>: movl $0x8048761,(%esp)
0x08048678 <+283>: call 0x8048400 <fwrite@plt>
0x0804867d <+288>: mov $0x0,%eax
0x08048682 <+293>: leave
0x08048683 <+294>: ret
End of assembler dump.
答案 0 :(得分:2)
我已反编译,
你很可能犯了一个错误。如果这是正确的反编译:
int32_t data;
if (fread((char *)&data, 1, 32, stream) == 0) {
那么程序会对堆栈溢出“有罪”(fread
尝试读取32个字节,但是你只提供了32个位的空间(即只有4个字节))
正确的反编译更可能是:
char data[32];
if (fread(data, 1, 32, stream) == 0) {
我想在gdb中读取data2的值,我试过了
(gdb)x/s 0x08048591
正如GDB向您展示的那样,地址0x08048591
位于main
内,是代码的一部分。
您想要检查程序的数据(或堆栈),为此您需要在正确的地址上使用x/s
。
不幸的是,您没有提供程序的实际程序集,因此我们无法告诉您正确的地址应该是什么。
<强>更新强>
第二个fread
的反汇编是:
0x080485f4 <+151>: lea -0x4a(%ebp),%eax
0x080485f7 <+154>: mov %eax,(%esp)
0x080485fa <+157>: call 0x8048410 <fread@plt>
这告诉我们数据实际上是在堆栈上,并查看将使用的数据:
x/s $ebp-0x4a
在0x08048602
处的指示处停止(即在fread
返回后)。