Linux C++ 调试神技--如何将Linux C++ 可执行文件逆向工程到Intel格式汇编
Linux C++ 调试神技--如何将Linux C++ 可执行文件逆向工程到Intel格式汇编
对于许多在windows 上调试代码的人而言, Intel IA32格式的汇编代码可能并不陌生,因为种种的原因,很多软件工程师不得不去尝试理解汇编代码。Windows PE的反汇编格式默认是Intel格式的,但是由于历史的原因,在这个世界上还存在另外一种汇编,ATT格式,这也是Linux C++ 可执行代码的默认反汇编格式。
难道还真需要哥们学习两种格式的汇编么?一种学会了已经很NB了?
难道哥们在Windows上学的汇编到Linux上就白费了么?玩不转了么?
底层的处理器都是一个架构的,机器码都是一样的,这两种汇编代码一定可以互相转换,否则工具设计者智商一定低到写不出来工具。
对于这个问题且听兄弟以一个例子详细到道来。假设有如下的C++代码,我们将其在Linux上编译为一个名字为hellod的执行文件。
1 #include<iostream> 2 int main() 3 { 4 std::cout << "Enter two numbers:" << std::endl; 5 int v1 = 0, v2 = 0; 6 std::cin >> v1 >> v2; 7 std::cout << "The sum of " << v1 << " and " << v2 8 << " is " << v1 + v2 << std::endl; 9 return 0; 10 }
如果想看看现在的默认反汇编格式是什么,可以使用如下命令,可以看到Linux默认的是ATT格式的
(gdb) show disassembly-flavor The disassembly flavor is "att".
反汇编结果如下:
(gdb) disassemble main Dump of assembler code for function main(): 0x000000000040092d <+0>: push %rbp 0x000000000040092e <+1>: mov %rsp,%rbp 0x0000000000400931 <+4>: push %r13 0x0000000000400933 <+6>: push %r12 0x0000000000400935 <+8>: push %rbx 0x0000000000400936 <+9>: sub $0x18,%rsp 0x000000000040093a <+13>: mov $0x400ad4,%esi 0x000000000040093f <+18>: mov $0x6011a0,%edi 0x0000000000400944 <+23>: callq 0x400800 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc@plt> 0x0000000000400949 <+28>: mov $0x400830,%esi 0x000000000040094e <+33>: mov %rax,%rdi 0x0000000000400951 <+36>: callq 0x400820 <_ZNSolsEPFRSoS_E@plt> 0x0000000000400956 <+41>: movl $0x0,-0x28(%rbp) 0x000000000040095d <+48>: movl $0x0,-0x24(%rbp) 0x0000000000400964 <+55>: lea -0x28(%rbp),%rax 0x0000000000400968 <+59>: mov %rax,%rsi 0x000000000040096b <+62>: mov $0x601080,%edi 0x0000000000400970 <+67>: callq 0x400810 <_ZNSirsERi@plt> 0x0000000000400975 <+72>: lea -0x24(%rbp),%rdx 0x0000000000400979 <+76>: mov %rdx,%rsi 0x000000000040097c <+79>: mov %rax,%rdi ---Type <return> to continue, or q <return> to quit--- 0x000000000040097f <+82>: callq 0x400810 <_ZNSirsERi@plt> 0x0000000000400984 <+87>: mov -0x28(%rbp),%edx 0x0000000000400987 <+90>: mov -0x24(%rbp),%eax 0x000000000040098a <+93>: lea (%rdx,%rax,1),%r13d 0x000000000040098e <+97>: mov -0x24(%rbp),%ebx 0x0000000000400991 <+100>: mov -0x28(%rbp),%r12d 0x0000000000400995 <+104>: mov $0x400ae7,%esi 0x000000000040099a <+109>: mov $0x6011a0,%edi 0x000000000040099f <+114>: callq 0x400800 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc@plt> 0x00000000004009a4 <+119>: mov %r12d,%esi 0x00000000004009a7 <+122>: mov %rax,%rdi 0x00000000004009aa <+125>: callq 0x4007a0 <_ZNSolsEi@plt> 0x00000000004009af <+130>: mov $0x400af3,%esi 0x00000000004009b4 <+135>: mov %rax,%rdi 0x00000000004009b7 <+138>: callq 0x400800 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc@plt> 0x00000000004009bc <+143>: mov %ebx,%esi 0x00000000004009be <+145>: mov %rax,%rdi 0x00000000004009c1 <+148>: callq 0x4007a0 <_ZNSolsEi@plt> 0x00000000004009c6 <+153>: mov $0x400af9,%esi 0x00000000004009cb <+158>: mov %rax,%rdi 0x00000000004009ce <+161>: callq 0x400800 <_ZStlsISt11char_traitsIcEERSt13---Type <return> to continue, or q <return> to quit--- basic_ostreamIcT_ES5_PKc@plt> 0x00000000004009d3 <+166>: mov %r13d,%esi 0x00000000004009d6 <+169>: mov %rax,%rdi 0x00000000004009d9 <+172>: callq 0x4007a0 <_ZNSolsEi@plt> 0x00000000004009de <+177>: mov $0x400830,%esi 0x00000000004009e3 <+182>: mov %rax,%rdi 0x00000000004009e6 <+185>: callq 0x400820 <_ZNSolsEPFRSoS_E@plt> 0x00000000004009eb <+190>: mov $0x0,%eax 0x00000000004009f0 <+195>: add $0x18,%rsp 0x00000000004009f4 <+199>: pop %rbx 0x00000000004009f5 <+200>: pop %r12 0x00000000004009f7 <+202>: pop %r13 0x00000000004009f9 <+204>: pop %rbp 0x00000000004009fa <+205>: retq End of assembler dump.
那如果我看不懂,我想使用Intel格式的汇编怎么办呢?下面的命令就可以做到,牛X吧?哈哈
(gdb) set disassembly-flavor intel (gdb) show disassembly-flavor The disassembly flavor is "intel".
再来看看这下我们反出来的汇编代码, 已经变成Intel 格式的了
(gdb) disassemble main Dump of assembler code for function main(): 0x000000000040092d <+0>: push rbp 0x000000000040092e <+1>: mov rbp,rsp 0x0000000000400931 <+4>: push r13 0x0000000000400933 <+6>: push r12 0x0000000000400935 <+8>: push rbx 0x0000000000400936 <+9>: sub rsp,0x18 0x000000000040093a <+13>: mov esi,0x400ad4 0x000000000040093f <+18>: mov edi,0x6011a0 0x0000000000400944 <+23>: call 0x400800 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc@plt> 0x0000000000400949 <+28>: mov esi,0x400830 0x000000000040094e <+33>: mov rdi,rax 0x0000000000400951 <+36>: call 0x400820 <_ZNSolsEPFRSoS_E@plt> 0x0000000000400956 <+41>: mov DWORD PTR [rbp-0x28],0x0 0x000000000040095d <+48>: mov DWORD PTR [rbp-0x24],0x0 0x0000000000400964 <+55>: lea rax,[rbp-0x28] 0x0000000000400968 <+59>: mov rsi,rax 0x000000000040096b <+62>: mov edi,0x601080 0x0000000000400970 <+67>: call 0x400810 <_ZNSirsERi@plt> 0x0000000000400975 <+72>: lea rdx,[rbp-0x24] 0x0000000000400979 <+76>: mov rsi,rdx 0x000000000040097c <+79>: mov rdi,rax ---Type <return> to continue, or q <return> to quit--- 0x000000000040097f <+82>: call 0x400810 <_ZNSirsERi@plt> 0x0000000000400984 <+87>: mov edx,DWORD PTR [rbp-0x28] 0x0000000000400987 <+90>: mov eax,DWORD PTR [rbp-0x24] 0x000000000040098a <+93>: lea r13d,[rdx+rax*1] 0x000000000040098e <+97>: mov ebx,DWORD PTR [rbp-0x24] 0x0000000000400991 <+100>: mov r12d,DWORD PTR [rbp-0x28] 0x0000000000400995 <+104>: mov esi,0x400ae7 0x000000000040099a <+109>: mov edi,0x6011a0 0x000000000040099f <+114>: call 0x400800 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc@plt> 0x00000000004009a4 <+119>: mov esi,r12d 0x00000000004009a7 <+122>: mov rdi,rax 0x00000000004009aa <+125>: call 0x4007a0 <_ZNSolsEi@plt> 0x00000000004009af <+130>: mov esi,0x400af3 0x00000000004009b4 <+135>: mov rdi,rax 0x00000000004009b7 <+138>: call 0x400800 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc@plt> 0x00000000004009bc <+143>: mov esi,ebx 0x00000000004009be <+145>: mov rdi,rax 0x00000000004009c1 <+148>: call 0x4007a0 <_ZNSolsEi@plt> 0x00000000004009c6 <+153>: mov esi,0x400af9 0x00000000004009cb <+158>: mov rdi,rax 0x00000000004009ce <+161>: call 0x400800 <_ZStlsISt11char_traitsIcEERSt13---Type <return> to continue, or q <return> to quit--- basic_ostreamIcT_ES5_PKc@plt> 0x00000000004009d3 <+166>: mov esi,r13d 0x00000000004009d6 <+169>: mov rdi,rax 0x00000000004009d9 <+172>: call 0x4007a0 <_ZNSolsEi@plt> 0x00000000004009de <+177>: mov esi,0x400830 0x00000000004009e3 <+182>: mov rdi,rax 0x00000000004009e6 <+185>: call 0x400820 <_ZNSolsEPFRSoS_E@plt> 0x00000000004009eb <+190>: mov eax,0x0 0x00000000004009f0 <+195>: add rsp,0x18 0x00000000004009f4 <+199>: pop rbx 0x00000000004009f5 <+200>: pop r12 0x00000000004009f7 <+202>: pop r13 0x00000000004009f9 <+204>: pop rbp 0x00000000004009fa <+205>: ret End of assembler dump.
总结
对于很多计算机工程领域的技术问题,理解原理是最重要的,软件工程师很忙,忙着学东西,但是有的东西你一旦知道了道理,靠分析已经能节省很多的时间,根本不用去再学一遍,就拿本例来说,如果不去分析,再去学一遍另一个版本的,可能也是事倍功半,站的高方能望的远,和大家共勉。