我得到了一個可執行文件,要求輸入密碼。找到隱藏密碼的唯一方法是使用gdb和trace x86。我曾嘗試在不同的點設置斷點並查看寄存器的值,但我無法弄清楚如何找到密碼。這也很難,因爲沒有主要的方法。所附的x86非常長,但我覺得很多是不必要的。任何幫助,將不勝感激。我只是不知道從哪裏開始。謝謝。在gdb中跟蹤x86以查找密碼
Disassembly of section .init:
080482f8 <.init>:
80482f8: 55 push %ebp
80482f9: 89 e5 mov %esp,%ebp
80482fb: 53 push %ebx
80482fc: 83 ec 04 sub $0x4,%esp
80482ff: e8 00 00 00 00 call 8048304 <[email protected]>
8048304: 5b pop %ebx
8048305: 81 c3 b0 14 00 00 add $0x14b0,%ebx
804830b: 8b 93 fc ff ff ff mov -0x4(%ebx),%edx
8048311: 85 d2 test %edx,%edx
8048313: 74 05 je 804831a <[email protected]>
8048315: e8 2e 00 00 00 call 8048348 <[email protected]>
804831a: e8 11 01 00 00 call 8048430 <[email protected]+0xa8>
804831f: e8 6c 02 00 00 call 8048590 <[email protected]+0x208>
8048324: 58 pop %eax
8048325: 5b pop %ebx
8048326: c9 leave
8048327: c3 ret
Disassembly of section .plt:
08048328 <[email protected]>:
8048328: ff 35 b8 97 04 08 pushl 0x80497b8
804832e: ff 25 bc 97 04 08 jmp *0x80497bc
8048334: 00 00 add %al,(%eax)
...
08048338 <[email protected]>:
8048338: ff 25 c0 97 04 08 jmp *0x80497c0
804833e: 68 00 00 00 00 push $0x0
8048343: e9 e0 ff ff ff jmp 8048328 <[email protected]>
08048348 <[email protected]>:
8048348: ff 25 c4 97 04 08 jmp *0x80497c4
804834e: 68 08 00 00 00 push $0x8
8048353: e9 d0 ff ff ff jmp 8048328 <[email protected]>
08048358 <[email protected]>:
8048358: ff 25 c8 97 04 08 jmp *0x80497c8
804835e: 68 10 00 00 00 push $0x10
8048363: e9 c0 ff ff ff jmp 8048328 <[email protected]>
08048368 <[email protected]>:
8048368: ff 25 cc 97 04 08 jmp *0x80497cc
804836e: 68 18 00 00 00 push $0x18
8048373: e9 b0 ff ff ff jmp 8048328 <getch[email protected]>
08048378 <[email protected]>:
8048378: ff 25 d0 97 04 08 jmp *0x80497d0
804837e: 68 20 00 00 00 push $0x20
8048383: e9 a0 ff ff ff jmp 8048328 <[email protected]>
08048388 <[email protected]>:
8048388: ff 25 d4 97 04 08 jmp *0x80497d4
804838e: 68 28 00 00 00 push $0x28
8048393: e9 90 ff ff ff jmp 8048328 <[email protected]>
Disassembly of section .text:
080483a0 <.text>:
80483a0: 31 ed xor %ebp,%ebp
80483a2: 5e pop %esi
80483a3: 89 e1 mov %esp,%ecx
80483a5: 83 e4 f0 and $0xfffffff0,%esp
80483a8: 50 push %eax
80483a9: 54 push %esp
80483aa: 52 push %edx
80483ab: 68 20 85 04 08 push $0x8048520
80483b0: 68 30 85 04 08 push $0x8048530
80483b5: 51 push %ecx
80483b6: 56 push %esi
80483b7: 68 0e 85 04 08 push $0x804850e
80483bc: e8 97 ff ff ff call 8048358 <[email protected]>
80483c1: f4 hlt
80483c2: 90 nop
80483c3: 90 nop
80483c4: 90 nop
80483c5: 90 nop
80483c6: 90 nop
80483c7: 90 nop
80483c8: 90 nop
80483c9: 90 nop
80483ca: 90 nop
80483cb: 90 nop
80483cc: 90 nop
80483cd: 90 nop
80483ce: 90 nop
80483cf: 90 nop
80483d0: 55 push %ebp
80483d1: 89 e5 mov %esp,%ebp
80483d3: 53 push %ebx
80483d4: 83 ec 04 sub $0x4,%esp
80483d7: 80 3d dc 97 04 08 00 cmpb $0x0,0x80497dc
80483de: 75 3f jne 804841f <[email protected]+0x97>
80483e0: a1 e0 97 04 08 mov 0x80497e0,%eax
80483e5: bb e0 96 04 08 mov $0x80496e0,%ebx
80483ea: 81 eb dc 96 04 08 sub $0x80496dc,%ebx
80483f0: c1 fb 02 sar $0x2,%ebx
80483f3: 83 eb 01 sub $0x1,%ebx
80483f6: 39 d8 cmp %ebx,%eax
80483f8: 73 1e jae 8048418 <[email protected]+0x90>
80483fa: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
8048400: 83 c0 01 add $0x1,%eax
8048403: a3 e0 97 04 08 mov %eax,0x80497e0
8048408: ff 14 85 dc 96 04 08 call *0x80496dc(,%eax,4)
804840f: a1 e0 97 04 08 mov 0x80497e0,%eax
8048414: 39 d8 cmp %ebx,%eax
8048416: 72 e8 jb 8048400 <[email protected]+0x78>
8048418: c6 05 dc 97 04 08 01 movb $0x1,0x80497dc
804841f: 83 c4 04 add $0x4,%esp
8048422: 5b pop %ebx
8048423: 5d pop %ebp
8048424: c3 ret
8048425: 8d 74 26 00 lea 0x0(%esi,%eiz,1),%esi
8048429: 8d bc 27 00 00 00 00 lea 0x0(%edi,%eiz,1),%edi
8048430: 55 push %ebp
8048431: 89 e5 mov %esp,%ebp
8048433: 83 ec 18 sub $0x18,%esp
8048436: a1 e4 96 04 08 mov 0x80496e4,%eax
804843b: 85 c0 test %eax,%eax
804843d: 74 12 je 8048451 <[email protected]+0xc9>
804843f: b8 00 00 00 00 mov $0x0,%eax
8048444: 85 c0 test %eax,%eax
8048446: 74 09 je 8048451 <[email protected]+0xc9>
8048448: c7 04 24 e4 96 04 08 movl $0x80496e4,(%esp)
804844f: ff d0 call *%eax
8048451: c9 leave
8048452: c3 ret
8048453: 90 nop
8048454: 55 push %ebp
8048455: 89 e5 mov %esp,%ebp
8048457: 53 push %ebx
8048458: 83 ec 34 sub $0x34,%esp
804845b: c7 45 f0 00 00 00 00 movl $0x0,-0x10(%ebp)
8048462: c7 45 f4 00 00 00 00 movl $0x0,-0xc(%ebp)
8048469: eb 10 jmp 804847b <[email protected]+0xf3>
804846b: 8b 5d f4 mov -0xc(%ebp),%ebx
804846e: e8 c5 fe ff ff call 8048338 <[email protected]>
8048473: 88 44 1d e5 mov %al,-0x1b(%ebp,%ebx,1)
8048477: 83 45 f4 01 addl $0x1,-0xc(%ebp)
804847b: 83 7d f4 09 cmpl $0x9,-0xc(%ebp)
804847f: 7e ea jle 804846b <[email protected]+0xe3>
8048481: 8b 45 f4 mov -0xc(%ebp),%eax
8048484: c6 44 05 e5 00 movb $0x0,-0x1b(%ebp,%eax,1)
8048489: c7 45 f4 01 00 00 00 movl $0x1,-0xc(%ebp)
8048490: eb 27 jmp 80484b9 <[email protected]+0x131>
8048492: 8b 45 f4 mov -0xc(%ebp),%eax
8048495: 83 e8 01 sub $0x1,%eax
8048498: 0f b6 44 05 e5 movzbl -0x1b(%ebp,%eax,1),%eax
804849d: 0f be c0 movsbl %al,%eax
80484a0: 89 04 24 mov %eax,(%esp)
80484a3: e8 e0 fe ff ff call 8048388 <[email protected]>
80484a8: 83 e8 31 sub $0x31,%eax
80484ab: 83 f8 04 cmp $0x4,%eax
80484ae: 77 05 ja 80484b5 <[email protected]+0x12d>
80484b0: 83 45 f0 01 addl $0x1,-0x10(%ebp)
80484b4: 90 nop
80484b5: 83 45 f4 01 addl $0x1,-0xc(%ebp)
80484b9: 83 7d f4 0a cmpl $0xa,-0xc(%ebp)
80484bd: 7e d3 jle 8048492 <[email protected]+0x10a>
80484bf: 83 7d f0 0a cmpl $0xa,-0x10(%ebp)
80484c3: 75 16 jne 80484db <[email protected]+0x153>
80484c5: b8 e4 85 04 08 mov $0x80485e4,%eax
80484ca: 8d 55 e5 lea -0x1b(%ebp),%edx
80484cd: 89 54 24 04 mov %edx,0x4(%esp)
80484d1: 89 04 24 mov %eax,(%esp)
80484d4: e8 8f fe ff ff call 8048368 <[email protected]>
80484d9: eb 0c jmp 80484e7 <[email protected]+0x15f>
80484db: c7 04 24 12 86 04 08 movl $0x8048612,(%esp)
80484e2: e8 91 fe ff ff call 8048378 <[email protected]>
80484e7: 83 c4 34 add $0x34,%esp
80484ea: 5b pop %ebx
80484eb: 5d pop %ebp
80484ec: c3 ret
80484ed: 55 push %ebp
80484ee: 89 e5 mov %esp,%ebp
80484f0: 83 ec 08 sub $0x8,%esp
80484f3: e8 5c ff ff ff call 8048454 <[email protected]+0xcc>
80484f8: c9 leave
80484f9: c3 ret
80484fa: 55 push %ebp
80484fb: 89 e5 mov %esp,%ebp
80484fd: 83 ec 18 sub $0x18,%esp
8048500: c7 45 f4 26 86 04 08 movl $0x8048626,-0xc(%ebp)
8048507: e8 e1 ff ff ff call 80484ed <[email protected]+0x165>
804850c: c9 leave
804850d: c3 ret
804850e: 55 push %ebp
804850f: 89 e5 mov %esp,%ebp
8048511: 83 e4 f0 and $0xfffffff0,%esp
8048514: e8 e1 ff ff ff call 80484fa <[email protected]+0x172>
8048519: 89 ec mov %ebp,%esp
804851b: 5d pop %ebp
804851c: c3 ret
804851d: 90 nop
804851e: 90 nop
804851f: 90 nop
8048520: 55 push %ebp
8048521: 89 e5 mov %esp,%ebp
8048523: 5d pop %ebp
8048524: c3 ret
8048525: 66 66 2e 0f 1f 84 00 data32 nopw %cs:0x0(%eax,%eax,1)
804852c: 00 00 00 00
8048530: 55 push %ebp
8048531: 89 e5 mov %esp,%ebp
8048533: 57 push %edi
8048534: 56 push %esi
8048535: 53 push %ebx
8048536: e8 4f 00 00 00 call 804858a <[email protected]+0x202>
804853b: 81 c3 79 12 00 00 add $0x1279,%ebx
8048541: 83 ec 1c sub $0x1c,%esp
8048544: e8 af fd ff ff call 80482f8 <[email protected]>
8048549: 8d bb 20 ff ff ff lea -0xe0(%ebx),%edi
804854f: 8d 83 20 ff ff ff lea -0xe0(%ebx),%eax
8048555: 29 c7 sub %eax,%edi
8048557: c1 ff 02 sar $0x2,%edi
804855a: 85 ff test %edi,%edi
804855c: 74 24 je 8048582 <[email protected]+0x1fa>
804855e: 31 f6 xor %esi,%esi
8048560: 8b 45 10 mov 0x10(%ebp),%eax
8048563: 89 44 24 08 mov %eax,0x8(%esp)
8048567: 8b 45 0c mov 0xc(%ebp),%eax
804856a: 89 44 24 04 mov %eax,0x4(%esp)
804856e: 8b 45 08 mov 0x8(%ebp),%eax
8048571: 89 04 24 mov %eax,(%esp)
8048574: ff 94 b3 20 ff ff ff call *-0xe0(%ebx,%esi,4)
804857b: 83 c6 01 add $0x1,%esi
804857e: 39 fe cmp %edi,%esi
8048580: 72 de jb 8048560 <[email protected]+0x1d8>
8048582: 83 c4 1c add $0x1c,%esp
8048585: 5b pop %ebx
8048586: 5e pop %esi
8048587: 5f pop %edi
8048588: 5d pop %ebp
8048589: c3 ret
804858a: 8b 1c 24 mov (%esp),%ebx
804858d: c3 ret
804858e: 90 nop
804858f: 90 nop
8048590: 55 push %ebp
8048591: 89 e5 mov %esp,%ebp
8048593: 53 push %ebx
8048594: 83 ec 04 sub $0x4,%esp
8048597: a1 d4 96 04 08 mov 0x80496d4,%eax
804859c: 83 f8 ff cmp $0xffffffff,%eax
804859f: 74 13 je 80485b4 <[email protected]+0x22c>
80485a1: bb d4 96 04 08 mov $0x80496d4,%ebx
80485a6: 66 90 xchg %ax,%ax
80485a8: 83 eb 04 sub $0x4,%ebx
80485ab: ff d0 call *%eax
80485ad: 8b 03 mov (%ebx),%eax
80485af: 83 f8 ff cmp $0xffffffff,%eax
80485b2: 75 f4 jne 80485a8 <[email protected]+0x220>
80485b4: 83 c4 04 add $0x4,%esp
80485b7: 5b pop %ebx
80485b8: 5d pop %ebp
80485b9: c3 ret
80485ba: 90 nop
80485bb: 90 nop
Disassembly of section .fini:
080485bc <.fini>:
80485bc: 55 push %ebp
80485bd: 89 e5 mov %esp,%ebp
80485bf: 53 push %ebx
80485c0: 83 ec 04 sub $0x4,%esp
80485c3: e8 00 00 00 00 call 80485c8 <[email protected]+0x240>
80485c8: 5b pop %ebx
80485c9: 81 c3 ec 11 00 00 add $0x11ec,%ebx
80485cf: e8 fc fd ff ff call 80483d0 <[email protected]+0x48>
80485d4: 59 pop %ecx
80485d5: 5b pop %ebx
80485d6: c9 leave
80485d7: c3 ret
這是作業,對不對?它就像一個炸彈實驗室,但有一個剝離的二進制文件。如果沒有爲你做很多工作,我認爲沒有人能夠回答這個問題。儘管我可能會嘗試在調用'<[email protected]>'時設置一個斷點,並且在斷開任何周圍循環後查看它對用戶輸入的作用。 –
什麼是炸彈實驗室?我想自己做這項工作,我只是不知道從哪裏開始。我會嘗試在那裏設置一個斷點。 – masonc15
我在那裏設置了一個斷點,但gdb在用戶有機會輸入輸入之前命中該斷點。 – masonc15