1. 首頁
  2. 問答
  3. 在gdb中跟蹤x86以查找密碼

在gdb中跟蹤x86以查找密碼

2016-10-31 20 views
-1

我得到了一個可執行文件,要求輸入密碼。找到隱藏密碼的唯一方法是使用gdb和trace x86。我曾嘗試在不同的點設置斷點並查看寄存器的值,但我無法弄清楚如何找到密碼。這也很難,因爲沒有主要的方法。所附的x86非常長,但我覺得很多是不必要的。任何幫助,將不勝感激。我只是不知道從哪裏開始。謝謝。在gdb中跟蹤x86以查找密碼

Disassembly of section .init: 

080482f8 <.init>: 
80482f8:  55      push %ebp 
80482f9:  89 e5     mov %esp,%ebp 
80482fb:  53      push %ebx 
80482fc:  83 ec 04    sub $0x4,%esp 
80482ff:  e8 00 00 00 00   call 8048304 <[email protected]> 
8048304:  5b      pop %ebx 
8048305:  81 c3 b0 14 00 00  add $0x14b0,%ebx 
804830b:  8b 93 fc ff ff ff  mov -0x4(%ebx),%edx 
8048311:  85 d2     test %edx,%edx 
8048313:  74 05     je  804831a <[email protected]> 
8048315:  e8 2e 00 00 00   call 8048348 <[email protected]> 
804831a:  e8 11 01 00 00   call 8048430 <[email protected]+0xa8> 
804831f:  e8 6c 02 00 00   call 8048590 <[email protected]+0x208> 
8048324:  58      pop %eax 
8048325:  5b      pop %ebx 
8048326:  c9      leave 
8048327:  c3      ret 

Disassembly of section .plt: 

08048328 <[email protected]>: 
8048328:  ff 35 b8 97 04 08  pushl 0x80497b8 
804832e:  ff 25 bc 97 04 08  jmp *0x80497bc 
8048334:  00 00     add %al,(%eax) 
     ... 

08048338 <[email protected]>: 
8048338:  ff 25 c0 97 04 08  jmp *0x80497c0 
804833e:  68 00 00 00 00   push $0x0 
8048343:  e9 e0 ff ff ff   jmp 8048328 <[email protected]> 

08048348 <[email protected]>: 
8048348:  ff 25 c4 97 04 08  jmp *0x80497c4 
804834e:  68 08 00 00 00   push $0x8 
8048353:  e9 d0 ff ff ff   jmp 8048328 <[email protected]> 

08048358 <[email protected]>: 
8048358:  ff 25 c8 97 04 08  jmp *0x80497c8 
804835e:  68 10 00 00 00   push $0x10 
8048363:  e9 c0 ff ff ff   jmp 8048328 <[email protected]> 

08048368 <[email protected]>: 
8048368:  ff 25 cc 97 04 08  jmp *0x80497cc 
804836e:  68 18 00 00 00   push $0x18 
8048373:  e9 b0 ff ff ff   jmp 8048328 <getch[email protected]> 

08048378 <[email protected]>: 
8048378:  ff 25 d0 97 04 08  jmp *0x80497d0 
804837e:  68 20 00 00 00   push $0x20 
8048383:  e9 a0 ff ff ff   jmp 8048328 <[email protected]> 

08048388 <[email protected]>: 
8048388:  ff 25 d4 97 04 08  jmp *0x80497d4 
804838e:  68 28 00 00 00   push $0x28 
8048393:  e9 90 ff ff ff   jmp 8048328 <[email protected]> 

Disassembly of section .text: 

080483a0 <.text>: 
80483a0:  31 ed     xor %ebp,%ebp 
80483a2:  5e      pop %esi 
80483a3:  89 e1     mov %esp,%ecx 
80483a5:  83 e4 f0    and $0xfffffff0,%esp 
80483a8:  50      push %eax 
80483a9:  54      push %esp 
80483aa:  52      push %edx 
80483ab:  68 20 85 04 08   push $0x8048520 
80483b0:  68 30 85 04 08   push $0x8048530 
80483b5:  51      push %ecx 
80483b6:  56      push %esi 
80483b7:  68 0e 85 04 08   push $0x804850e 
80483bc:  e8 97 ff ff ff   call 8048358 <[email protected]> 
80483c1:  f4      hlt 
80483c2:  90      nop 
80483c3:  90      nop 
80483c4:  90      nop 
80483c5:  90      nop 
80483c6:  90      nop 
80483c7:  90      nop 
80483c8:  90      nop 
80483c9:  90      nop 
80483ca:  90      nop 
80483cb:  90      nop 
80483cc:  90      nop 
80483cd:  90      nop 
80483ce:  90      nop 
80483cf:  90      nop 
80483d0:  55      push %ebp 
80483d1:  89 e5     mov %esp,%ebp 
80483d3:  53      push %ebx 
80483d4:  83 ec 04    sub $0x4,%esp 
80483d7:  80 3d dc 97 04 08 00 cmpb $0x0,0x80497dc 
80483de:  75 3f     jne 804841f <[email protected]+0x97> 
80483e0:  a1 e0 97 04 08   mov 0x80497e0,%eax 
80483e5:  bb e0 96 04 08   mov $0x80496e0,%ebx 
80483ea:  81 eb dc 96 04 08  sub $0x80496dc,%ebx 
80483f0:  c1 fb 02    sar $0x2,%ebx 
80483f3:  83 eb 01    sub $0x1,%ebx 
80483f6:  39 d8     cmp %ebx,%eax 
80483f8:  73 1e     jae 8048418 <[email protected]+0x90> 
80483fa:  8d b6 00 00 00 00  lea 0x0(%esi),%esi 
8048400:  83 c0 01    add $0x1,%eax 
8048403:  a3 e0 97 04 08   mov %eax,0x80497e0 
8048408:  ff 14 85 dc 96 04 08 call *0x80496dc(,%eax,4) 
804840f:  a1 e0 97 04 08   mov 0x80497e0,%eax 
8048414:  39 d8     cmp %ebx,%eax 
8048416:  72 e8     jb  8048400 <[email protected]+0x78> 
8048418:  c6 05 dc 97 04 08 01 movb $0x1,0x80497dc 
804841f:  83 c4 04    add $0x4,%esp 
8048422:  5b      pop %ebx 
8048423:  5d      pop %ebp 
8048424:  c3      ret 
8048425:  8d 74 26 00    lea 0x0(%esi,%eiz,1),%esi 
8048429:  8d bc 27 00 00 00 00 lea 0x0(%edi,%eiz,1),%edi 
8048430:  55      push %ebp 
8048431:  89 e5     mov %esp,%ebp 
8048433:  83 ec 18    sub $0x18,%esp 
8048436:  a1 e4 96 04 08   mov 0x80496e4,%eax 
804843b:  85 c0     test %eax,%eax 
804843d:  74 12     je  8048451 <[email protected]+0xc9> 
804843f:  b8 00 00 00 00   mov $0x0,%eax 
8048444:  85 c0     test %eax,%eax 
8048446:  74 09     je  8048451 <[email protected]+0xc9> 
8048448:  c7 04 24 e4 96 04 08 movl $0x80496e4,(%esp) 
804844f:  ff d0     call *%eax 
8048451:  c9      leave 
8048452:  c3      ret 
8048453:  90      nop 
8048454:  55      push %ebp 
8048455:  89 e5     mov %esp,%ebp 
8048457:  53      push %ebx 
8048458:  83 ec 34    sub $0x34,%esp 
804845b:  c7 45 f0 00 00 00 00 movl $0x0,-0x10(%ebp) 
8048462:  c7 45 f4 00 00 00 00 movl $0x0,-0xc(%ebp) 
8048469:  eb 10     jmp 804847b <[email protected]+0xf3> 
804846b:  8b 5d f4    mov -0xc(%ebp),%ebx 
804846e:  e8 c5 fe ff ff   call 8048338 <[email protected]> 
8048473:  88 44 1d e5    mov %al,-0x1b(%ebp,%ebx,1) 
8048477:  83 45 f4 01    addl $0x1,-0xc(%ebp) 
804847b:  83 7d f4 09    cmpl $0x9,-0xc(%ebp) 
804847f:  7e ea     jle 804846b <[email protected]+0xe3> 
8048481:  8b 45 f4    mov -0xc(%ebp),%eax 
8048484:  c6 44 05 e5 00   movb $0x0,-0x1b(%ebp,%eax,1) 
8048489:  c7 45 f4 01 00 00 00 movl $0x1,-0xc(%ebp) 
8048490:  eb 27     jmp 80484b9 <[email protected]+0x131> 
8048492:  8b 45 f4    mov -0xc(%ebp),%eax 
8048495:  83 e8 01    sub $0x1,%eax 
8048498:  0f b6 44 05 e5   movzbl -0x1b(%ebp,%eax,1),%eax 
804849d:  0f be c0    movsbl %al,%eax 
80484a0:  89 04 24    mov %eax,(%esp) 
80484a3:  e8 e0 fe ff ff   call 8048388 <[email protected]> 
80484a8:  83 e8 31    sub $0x31,%eax 
80484ab:  83 f8 04    cmp $0x4,%eax 
80484ae:  77 05     ja  80484b5 <[email protected]+0x12d> 
80484b0:  83 45 f0 01    addl $0x1,-0x10(%ebp) 
80484b4:  90      nop 
80484b5:  83 45 f4 01    addl $0x1,-0xc(%ebp) 
80484b9:  83 7d f4 0a    cmpl $0xa,-0xc(%ebp) 
80484bd:  7e d3     jle 8048492 <[email protected]+0x10a> 
80484bf:  83 7d f0 0a    cmpl $0xa,-0x10(%ebp) 
80484c3:  75 16     jne 80484db <[email protected]+0x153> 
80484c5:  b8 e4 85 04 08   mov $0x80485e4,%eax 
80484ca:  8d 55 e5    lea -0x1b(%ebp),%edx 
80484cd:  89 54 24 04    mov %edx,0x4(%esp) 
80484d1:  89 04 24    mov %eax,(%esp) 
80484d4:  e8 8f fe ff ff   call 8048368 <[email protected]> 
80484d9:  eb 0c     jmp 80484e7 <[email protected]+0x15f> 
80484db:  c7 04 24 12 86 04 08 movl $0x8048612,(%esp) 
80484e2:  e8 91 fe ff ff   call 8048378 <[email protected]> 
80484e7:  83 c4 34    add $0x34,%esp 
80484ea:  5b      pop %ebx 
80484eb:  5d      pop %ebp 
80484ec:  c3      ret 
80484ed:  55      push %ebp 
80484ee:  89 e5     mov %esp,%ebp 
80484f0:  83 ec 08    sub $0x8,%esp 
80484f3:  e8 5c ff ff ff   call 8048454 <[email protected]+0xcc> 
80484f8:  c9      leave 
80484f9:  c3      ret 
80484fa:  55      push %ebp 
80484fb:  89 e5     mov %esp,%ebp 
80484fd:  83 ec 18    sub $0x18,%esp 
8048500:  c7 45 f4 26 86 04 08 movl $0x8048626,-0xc(%ebp) 
8048507:  e8 e1 ff ff ff   call 80484ed <[email protected]+0x165> 
804850c:  c9      leave 
804850d:  c3      ret 
804850e:  55      push %ebp 
804850f:  89 e5     mov %esp,%ebp 
8048511:  83 e4 f0    and $0xfffffff0,%esp 
8048514:  e8 e1 ff ff ff   call 80484fa <[email protected]+0x172> 
8048519:  89 ec     mov %ebp,%esp 
804851b:  5d      pop %ebp 
804851c:  c3      ret 
804851d:  90      nop 
804851e:  90      nop 
804851f:  90      nop 
8048520:  55      push %ebp 
8048521:  89 e5     mov %esp,%ebp 
8048523:  5d      pop %ebp 
8048524:  c3      ret 
8048525:  66 66 2e 0f 1f 84 00 data32 nopw %cs:0x0(%eax,%eax,1) 
804852c:  00 00 00 00 
8048530:  55      push %ebp 
8048531:  89 e5     mov %esp,%ebp 
8048533:  57      push %edi 
8048534:  56      push %esi 
8048535:  53      push %ebx 
8048536:  e8 4f 00 00 00   call 804858a <[email protected]+0x202> 
804853b:  81 c3 79 12 00 00  add $0x1279,%ebx 
8048541:  83 ec 1c    sub $0x1c,%esp 
8048544:  e8 af fd ff ff   call 80482f8 <[email protected]> 
8048549:  8d bb 20 ff ff ff  lea -0xe0(%ebx),%edi 
804854f:  8d 83 20 ff ff ff  lea -0xe0(%ebx),%eax 
8048555:  29 c7     sub %eax,%edi 
8048557:  c1 ff 02    sar $0x2,%edi 
804855a:  85 ff     test %edi,%edi 
804855c:  74 24     je  8048582 <[email protected]+0x1fa> 
804855e:  31 f6     xor %esi,%esi 
8048560:  8b 45 10    mov 0x10(%ebp),%eax 
8048563:  89 44 24 08    mov %eax,0x8(%esp) 
8048567:  8b 45 0c    mov 0xc(%ebp),%eax 
804856a:  89 44 24 04    mov %eax,0x4(%esp) 
804856e:  8b 45 08    mov 0x8(%ebp),%eax 
8048571:  89 04 24    mov %eax,(%esp) 
8048574:  ff 94 b3 20 ff ff ff call *-0xe0(%ebx,%esi,4) 
804857b:  83 c6 01    add $0x1,%esi 
804857e:  39 fe     cmp %edi,%esi 
8048580:  72 de     jb  8048560 <[email protected]+0x1d8> 
8048582:  83 c4 1c    add $0x1c,%esp 
8048585:  5b      pop %ebx 
8048586:  5e      pop %esi 
8048587:  5f      pop %edi 
8048588:  5d      pop %ebp 
8048589:  c3      ret 
804858a:  8b 1c 24    mov (%esp),%ebx 
804858d:  c3      ret 
804858e:  90      nop 
804858f:  90      nop 
8048590:  55      push %ebp 
8048591:  89 e5     mov %esp,%ebp 
8048593:  53      push %ebx 
8048594:  83 ec 04    sub $0x4,%esp 
8048597:  a1 d4 96 04 08   mov 0x80496d4,%eax 
804859c:  83 f8 ff    cmp $0xffffffff,%eax 
804859f:  74 13     je  80485b4 <[email protected]+0x22c> 
80485a1:  bb d4 96 04 08   mov $0x80496d4,%ebx 
80485a6:  66 90     xchg %ax,%ax 
80485a8:  83 eb 04    sub $0x4,%ebx 
80485ab:  ff d0     call *%eax 
80485ad:  8b 03     mov (%ebx),%eax 
80485af:  83 f8 ff    cmp $0xffffffff,%eax 
80485b2:  75 f4     jne 80485a8 <[email protected]+0x220> 
80485b4:  83 c4 04    add $0x4,%esp 
80485b7:  5b      pop %ebx 
80485b8:  5d      pop %ebp 
80485b9:  c3      ret 
80485ba:  90      nop 
80485bb:  90      nop 

Disassembly of section .fini: 

080485bc <.fini>: 
80485bc:  55      push %ebp 
80485bd:  89 e5     mov %esp,%ebp 
80485bf:  53      push %ebx 
80485c0:  83 ec 04    sub $0x4,%esp 
80485c3:  e8 00 00 00 00   call 80485c8 <[email protected]+0x240> 
80485c8:  5b      pop %ebx 
80485c9:  81 c3 ec 11 00 00  add $0x11ec,%ebx 
80485cf:  e8 fc fd ff ff   call 80483d0 <[email protected]+0x48> 
80485d4:  59      pop %ecx 
80485d5:  5b      pop %ebx 
80485d6:  c9      leave 
80485d7:  c3      ret

來源

2016-10-31 masonc15

+0

這是作業,對不對?它就像一個炸彈實驗室,但有一個剝離的二進制文件。如果沒有爲你做很多工作,我認爲沒有人能夠回答這個問題。儘管我可能會嘗試在調用'<[email protected]>'時設置一個斷點,並且在斷開任何周圍循環後查看它對用戶輸入的作用。 –

+0

什麼是炸彈實驗室?我想自己做這項工作,我只是不知道從哪裏開始。我會嘗試在那裏設置一個斷點。 – masonc15

+0

我在那裏設置了一個斷點,但gdb在用戶有機會輸入輸入之前命中該斷點。 – masonc15

回答

0

看起來這與-O0編譯,因爲它的高度冗餘,並保持一切都在內存中。

如果反彙編程序將標籤放在分支目標上,您可以更輕鬆地進行操作,這樣您就可以看到何時執行可能會從某處跳到代碼塊,以及(或者代替)從早先的指示。 Agner Fog的objconv反彙編程序是這樣做的。

8048490 jmp 80484b9 <[email protected]+0x131>是getchar循環的最後一條指令(循環固定10次)。

而接下來,在從-0x1b(%ebp,%eax,1)一次加載字符一個循環,並執行

# eax = tolower(str[i]) 
sub $0x31,%eax # subtract '1' 
cmp $0x4,%eax 
ja  80484b5 # jump over an increment of a counter at -0x10(%ebp)

所以cmpl $0xa,-0x10(%ebp)不是找換行,它檢查計數器,看看是否所有的10個字符是之間我認爲是ASCII '1''5'

來源

2016-10-31 03:46:43

+0

我對x86非常陌生,在花費一個多小時嘗試之後無法弄清楚如何使用objconv反彙編程序。我有一臺Windows機器,所以在Linux機器上很容易的東西不在我的機器上。你認爲密碼的每個字符都在1到5之間嗎?我還能怎樣解決這個問題? – masonc15

+0

@ masonc15:Agner Fog發佈[objconv.exe for Windows](http://www.agner.org/optimize/),以及可以爲Linux編譯的源代碼。你不需要知道asm來安裝/使用它,只需要讀取輸出。 –

+0

@ masonc15:你還能接近嗎?那麼,通過跟隨第二個循環來看看它的功能。我的第一個猜測是基於快速查看看起來像是一個循環的字符串。這似乎是合理的,但我沒有檢查每條指令以確保它與此一致。在調試器中單步執行代碼對於驗證您是否正確地計算出它將執行的操作(尤其是使用gdb中的'layout reg',以便您可以觀察reg值更改)非常有用。 –

相關問題

 相關問題