å‰å›ž ã¯ã€ã€Œå…¥é–€ã‚»ã‚ュリティコンテストーーCTFを解ããªãŒã‚‰å¦ã¶å®Ÿæˆ¦æŠ€è¡“ã€ã‚’èªã‚“ã§ã€CTF ã®å„ジャンルã”ã¨ã«ä½¿ã‚ã‚Œã¦ã„る技術やツールã«ã¤ã„ã¦ã€èª¿ã¹ãŸã‚Šã€å®Ÿéš›ã«ä½¿ã£ã¦ã¿ãŸã‚Šã—ã¾ã—ãŸã€‚
今回ã¯ã€x86-64 ELF(Linux)ã®ã‚¢ã‚»ãƒ³ãƒ–ラをç†è§£ã—ã¦ã„ãã¾ã™ã€‚ã¾ãŸã€ã‚ˆã使ㆠGDBコマンドやã€ãƒã‚¤ãƒŠãƒªã«å¯¾ã—ã¦ã‚ˆã使ã†ã‚³ãƒžãƒ³ãƒ‰ã€x86-64 ã®ã‚ˆã使ã†å‘½ä»¤ã‚’書ãã¨ã‚ã¦ãŠã“ã†ã¨æ€ã„ã¾ã™ã€‚
ãã‚Œã§ã¯ã€ã‚„ã£ã¦ã„ãã¾ã™ã€‚
å‚考文献
Ghidra ã®è§£èª¬ãŒä¸»ã§ã™ãŒã€å†’é ã«ã€x86ã€x86-64 ã®ã‚¢ãƒ¼ã‚テクãƒãƒ£ã€ã‚¢ã‚»ãƒ³ãƒ–ラãŒè§£èª¬ã•ã‚Œã¦ã„ã¾ã™ã€‚今回ã¯ã€ã“ã®è§£èª¬ã‚’ã‚‚ã¨ã«æ›¸ã„ã¦ã„ã¾ã™ã€‚
GDB ã®æœ¬ã¯å°‘ãªã„ã®ã§ã™ãŒã€CQ出版ã®å¤ã„書ç±ã¯ã€ã‚ˆãã¾ã¨ã¾ã£ã¦ã„ã‚‹ã¨æ€ã„ã¾ã™ã€‚GDB ã®ã‚³ãƒžãƒ³ãƒ‰ã«ã¤ã„ã¦ã‚‚ã€ã‚る程度ã€æ›¸ã„ã¦ãã‚Œã¦ã„ã‚‹ã®ã§ã™ãŒã€çŸç¸®ç‰ˆã‚‚書ã„ã¦ã¦ã»ã—ã‹ã£ãŸã§ã™ã€‚
ã¯ã˜ã‚ã«
「セã‚ュリティã€ã®è¨˜äº‹ä¸€è¦§ã§ã™ã€‚良ã‹ã£ãŸã‚‰å‚考ã«ã—ã¦ãã ã•ã„。
ã‚»ã‚ュリティã®è¨˜äº‹ä¸€è¦§
普通㮠GDB ã¯ãƒ‡ãƒãƒƒã‚°ã™ã‚‹ã«ã¯ä¸ä¾¿ãªã®ã§ã€æœ€åˆã« gdb-peda ã‚’å°Žå…¥ã—ã¦ãŠãã¾ã™ï¼ˆç¾åœ¨ã¯ã€ãƒ’ãƒ¼ãƒ—é ˜åŸŸã‚’ç¢ºèªã§ãã‚‹ pwndbg ã«ç§»è¡Œæ¸ˆã¿ã§ã™ï¼‰ã€‚
環境ã¯ã€VirtualBox+ParrotOS 6.1 ã§ã™ã€‚
ãã‚Œã§ã¯ã€ã‚„ã£ã¦ã„ãã¾ã™ã€‚
gdb-pedaã®å°Žå…¥æ–¹æ³•
gdb-peda ã®å…¬å¼ã® GitHub ã¯ä»¥ä¸‹ã§ã™ã€‚
github.com
Installation ã«ã€å°Žå…¥æ–¹æ³•ãŒæ›¸ã‹ã‚Œã¦ã„ã¾ã™ã®ã§ã€ãã‚Œã«å¾“ã„ã¾ã™ï¼ˆã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«å…ˆã¯å¤‰æ›´ã—ã¦ã„ã¾ã™ï¼‰ã€‚
$ git clone https://github.com/longld/peda.git
$ echo "source ~/Downloads/peda/peda.py" >> ~/.gdbinit
ã§ã¯ã€gdb-peda ã‚’å°Žå…¥ã—ãŸçŠ¶æ…‹ã§ã€GDB ã‚’èµ·å‹•ã—ã¦ã¿ã¾ã™ã€‚
$ gdb -q exec_me_revenge
ã“ã®å¾Œã€start を実行ã™ã‚‹ã¨ã€ä»¥ä¸‹ã®ã‚ˆã†ã«ã€ãƒ¬ã‚¸ã‚¹ã‚¿ã€ã‚³ãƒ¼ãƒ‰ã€ã‚¹ã‚¿ãƒƒã‚¯ãŒå¸¸ã«è¡¨ç¤ºã•ã‚Œã‚‹ã‚ˆã†ã«ãªã‚Šã¾ã™ã€‚ã¨ã¦ã‚‚便利ã§ã™ã。
gdb-pedaã§startを実行ã—ãŸã¨ã“ã‚
gdb-peda ã®å°Žå…¥æ–¹æ³•ã¯ä»¥ä¸Šã§ã™ã€‚
pwndbgã®å°Žå…¥æ–¹æ³•
gdb-peda ã§ã¯ã€ãƒ’ãƒ¼ãƒ—é ˜åŸŸã®æƒ…å ±ãŒè¡¨ç¤ºã§ãã¾ã›ã‚“ã§ã—ãŸï¼ˆç§ã®ç’°å¢ƒã ã‘ã‹ã‚‚ã—ã‚Œã¾ã›ã‚“)。ãã“ã§ã€ã‚ˆãèžã pwndbg ã‚’å°Žå…¥ã—ãŸã„ã¨æ€ã„ã¾ã™ã€‚
pwndbg ã®å…¬å¼ã‚µã‚¤ãƒˆã¯ä»¥ä¸‹ã§ã™ã€‚
github.com
å…¬å¼ã‚µã‚¤ãƒˆã®å°Žå…¥æ‰‹é †é€šã‚Šã«å°Žå…¥ã—ã¦ã¿ã¾ã™ã€‚
ãŸãã•ã‚“インストールã•ã‚ŒãŸã‚ˆã†ã«è¦‹ãˆã¾ã™ã€‚
$ git clone https://github.com/pwndbg/pwndbg
$ cd pwndbg/
$ ./setup
完了ã—ãŸã®ã§ã€æ—©é€Ÿ GDB ã‚’èµ·å‹•ã—ã¦ã¿ã¾ã—ãŸãŒã€ã‚¨ãƒ©ãƒ¼ãŒå‡ºã¾ã™ã€‚gdb-pedaã¨ã®ä½µç”¨ã¯ã§ããªã„よã†ã§ã™ã€‚.gdbinit を編集ã—ã¾ã™ã€‚gdb-peda 㨠pwndbg ã¯ä¸¡æ–¹ã¨ã‚‚ã€.gdbinit ã« 1è¡Œãšã¤æ›¸ã込んã§ã„ã‚‹ã ã‘ãªã®ã§ã€gdb-peda ã®æ–¹ã® source をコメントアウトã—ã¾ã—ãŸã€‚ã™ã‚‹ã¨ã€ã‚¨ãƒ©ãƒ¼ã¯å‡ºãªããªã‚Šã¾ã—ãŸã€‚
$ nano ~/.gdbinit
$ cat ~/.gdbinit
source /home/user/Downloads/pwndbg/gdbinit.py
å°‘ã—使ã£ã¦ã¿ã¾ã—ãŸãŒã€ã“ã®ã¾ã¾ã ã¨ã€TeraTerm ã§ä½¿ã†ã«ã¯åŽ³ã—ã„ã§ã™ã。ASCIIコード以外ã®æ–‡å—ãŒä½¿ã‚ã‚Œã¦ã„ã‚‹ã®ã§ã€ã„ãŸã‚‹ã¨ã“ã‚ã§ã€ï¼Ÿã«ãªã‚Šã¾ã™ã€‚ASCIIコードã ã‘ã§è¡¨ç¤ºã™ã‚‹æ–¹æ³•ã‚‚ã‚ã‚‹ã¨æ€ã†ã®ã§ã€ã‚‚ã†ã¡ã‚‡ã£ã¨èª¿ã¹ã¦ã¿ã¾ã™ã€‚
後日ã€èª¿ã¹ã¾ã—ãŸã€‚TeraTermã®ãƒãƒ¼ã‚¸ãƒ§ãƒ³5以é™ã‚’使ã†ã¨ã€ä¸Šã® ? ã«ãªã£ã¦ã—ã¾ã†å•é¡Œã¯è§£æ¶ˆã—ã¾ã™ã€‚TeraTerm ã®å…¬å¼ã‚µã‚¤ãƒˆã«ã‚ˆã‚‹ã¨ã€Unicode ã¸ã®å¯¾å¿œãŒé€²ã‚“ã よã†ã§ã™ã€‚ã“ã‚Œã«ã‚ˆã‚Šã€â€”? ã¨ãªã£ã¦ã„ãŸã¨ã“ã‚ãŒã€â€”â–¸ ã¨æ„図通りã«è¡¨ç¤ºã§ãるよã†ã«ãªã£ãŸã®ã ã¨æ€ã„ã¾ã™ã€‚
ç°¡å˜ãªãƒ—ãƒã‚°ãƒ©ãƒ ã§x86-64 ELFã‚’GDBã§ãƒ‡ãƒãƒƒã‚°ã‚’開始ã—ã¦ã¿ã‚‹
ç°¡å˜ãª C言語ã®ãƒ—ãƒã‚°ãƒ©ãƒ を自分ã§æ›¸ã„ã¦ã¿ã¾ã—ãŸã€‚ã“れを使ã£ã¦ã€GDB ã§å‹•ã‹ã—ãªãŒã‚‰ã€x86-64 ELF ã®å‹•ä½œã‚’ç†è§£ã—ã¦ã„ãã¾ã™ã€‚
使用ã™ã‚‹ç°¡å˜ãªC言語プãƒã‚°ãƒ©ãƒ
main関数ã‹ã‚‰ã€sub関数を呼ã³å‡ºã—ã€sub関数ã®ä¸ã§ã€printf関数を実行ã€scanf関数を実行ã—ã¦ã€æ•°å€¤ã‚’å—ã‘å–ã‚Šã€æˆ»ã‚Šå€¤ã§main関数ã«è¿”ã—ã¾ã™ã€‚main関数ã¯ã€æˆ»ã‚Šå€¤ãŒ 0 超ãªã‚‰ã‚·ã‚¹ãƒ†ãƒ ã« 0 ã‚’è¿”ã—ã€ãれ以外ãªã‚‰ 1 ã‚’è¿”ã—ã¾ã™ã€‚
#include <stdio.h>
int sub( void )
{
int data;
printf( "input data: " );
scanf( "%d", &data );
return data;
}
int main( int argc, void *argv[] )
{
int ret;
ret = sub();
if( ret > 0 )
return 0;
else
return 1;
}
ç°¡å˜ã«å®Ÿè¡Œã—ã¦ã¿ã¾ã™ã€‚
$ gcc -g -o hello_world.out hello_world.c
$ ./hello_world.out
input data: 0
$ echo $?
1
$ ./hello_world.out
input data: 1
$ echo $?
0
想定ã—ã¦ã„る通りã«å‹•ä½œã—ã¦ã„るよã†ã§ã™ã€‚
プãƒã‚°ãƒ©ãƒ ã®æ¦‚è¦ã‚’調ã¹ã‚‹
GDB ã§å‹•ä½œã‚’確èªã™ã‚‹å‰ã«ã€ãƒ—ãƒã‚°ãƒ©ãƒ ã®æ¦‚è¦ã‚’調ã¹ã¾ã™ã€‚
ELFヘッダã«ã‚ˆã‚‹ã¨ã€ã‚¨ãƒ³ãƒˆãƒªãƒã‚¤ãƒ³ãƒˆã¯ã€0x1060 ã§ã™ã€‚セクションヘッダ㮠textセクションもã€0x1060 ã‹ã‚‰å§‹ã¾ã£ã¦ã„ã¾ã™ã€‚
$ file hello_world.out
hello_world.out: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV),
dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2,
BuildID[sha1]=89d00684582cd697b573c0fd49c38d4f17146450, for GNU/Linux 3.2.0, with debug_info, not stripped
$ readelf -h hello_world.out
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2 s complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: DYN (Position-Independent Executable file)
Machine: Advanced Micro Devices X86-64
Version: 0x1
Entry point address: 0x1060
Start of program headers: 64 (bytes into file)
Start of section headers: 15088 (bytes into file)
Flags: 0x0
Size of this header: 64 (bytes)
Size of program headers: 56 (bytes)
Number of program headers: 13
Size of section headers: 64 (bytes)
Number of section headers: 37
Section header string table index: 36
$ readelf -l hello_world.out
Elf file type is DYN (Position-Independent Executable file)
Entry point 0x1060
There are 13 program headers, starting at offset 64
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flags Align
PHDR 0x0000000000000040 0x0000000000000040 0x0000000000000040 0x00000000000002d8 0x00000000000002d8 R 0x8
INTERP 0x0000000000000318 0x0000000000000318 0x0000000000000318 0x000000000000001c 0x000000000000001c R 0x1
[Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]
LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000670 0x0000000000000670 R 0x1000
LOAD 0x0000000000001000 0x0000000000001000 0x0000000000001000 0x00000000000001b9 0x00000000000001b9 R E 0x1000
LOAD 0x0000000000002000 0x0000000000002000 0x0000000000002000 0x0000000000000114 0x0000000000000114 R 0x1000
LOAD 0x0000000000002dd0 0x0000000000003dd0 0x0000000000003dd0 0x0000000000000250 0x0000000000000258 RW 0x1000
DYNAMIC 0x0000000000002de0 0x0000000000003de0 0x0000000000003de0 0x00000000000001e0 0x00000000000001e0 RW 0x8
NOTE 0x0000000000000338 0x0000000000000338 0x0000000000000338 0x0000000000000020 0x0000000000000020 R 0x8
NOTE 0x0000000000000358 0x0000000000000358 0x0000000000000358 0x0000000000000044 0x0000000000000044 R 0x4
GNU_PROPERTY 0x0000000000000338 0x0000000000000338 0x0000000000000338 0x0000000000000020 0x0000000000000020 R 0x8
GNU_EH_FRAME 0x0000000000002014 0x0000000000002014 0x0000000000002014 0x0000000000000034 0x0000000000000034 R 0x4
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 RW 0x10
GNU_RELRO 0x0000000000002dd0 0x0000000000003dd0 0x0000000000003dd0 0x0000000000000230 0x0000000000000230 R 0x1
Section to Segment mapping:
Segment Sections...
00
01 .interp
02 .interp .note.gnu.property .note.gnu.build-id .note.ABI-tag .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt
03 .init .plt .plt.got .text .fini
04 .rodata .eh_frame_hdr .eh_frame
05 .init_array .fini_array .dynamic .got .got.plt .data .bss
06 .dynamic
07 .note.gnu.property
08 .note.gnu.build-id .note.ABI-tag
09 .note.gnu.property
10 .eh_frame_hdr
11
12 .init_array .fini_array .dynamic .got
$ readelf -S hello_world.out
There are 37 section headers, starting at offset 0x3af0:
Section Headers:
[Nr] Name Type Address Offset Size EntSize Flags Link Info Align
[ 0] NULL 0000000000000000 00000000 0000000000000000 0000000000000000 0 0 0
[ 1] .interp PROGBITS 0000000000000318 00000318 000000000000001c 0000000000000000 A 0 0 1
[ 2] .note.gnu.pr[...] NOTE 0000000000000338 00000338 0000000000000020 0000000000000000 A 0 0 8
[ 3] .note.gnu.bu[...] NOTE 0000000000000358 00000358 0000000000000024 0000000000000000 A 0 0 4
[ 4] .note.ABI-tag NOTE 000000000000037c 0000037c 0000000000000020 0000000000000000 A 0 0 4
[ 5] .gnu.hash GNU_HASH 00000000000003a0 000003a0 0000000000000024 0000000000000000 A 6 0 8
[ 6] .dynsym DYNSYM 00000000000003c8 000003c8 00000000000000c0 0000000000000018 A 7 1 8
[ 7] .dynstr STRTAB 0000000000000488 00000488 00000000000000a8 0000000000000000 A 0 0 1
[ 8] .gnu.version VERSYM 0000000000000530 00000530 0000000000000010 0000000000000002 A 6 0 2
[ 9] .gnu.version_r VERNEED 0000000000000540 00000540 0000000000000040 0000000000000000 A 7 1 8
[10] .rela.dyn RELA 0000000000000580 00000580 00000000000000c0 0000000000000018 A 6 0 8
[11] .rela.plt RELA 0000000000000640 00000640 0000000000000030 0000000000000018 AI 6 24 8
[12] .init PROGBITS 0000000000001000 00001000 0000000000000017 0000000000000000 AX 0 0 4
[13] .plt PROGBITS 0000000000001020 00001020 0000000000000030 0000000000000010 AX 0 0 16
[14] .plt.got PROGBITS 0000000000001050 00001050 0000000000000008 0000000000000008 AX 0 0 8
[15] .text PROGBITS 0000000000001060 00001060 0000000000000150 0000000000000000 AX 0 0 16
[16] .fini PROGBITS 00000000000011b0 000011b0 0000000000000009 0000000000000000 AX 0 0 4
[17] .rodata PROGBITS 0000000000002000 00002000 0000000000000014 0000000000000000 A 0 0 4
[18] .eh_frame_hdr PROGBITS 0000000000002014 00002014 0000000000000034 0000000000000000 A 0 0 4
[19] .eh_frame PROGBITS 0000000000002048 00002048 00000000000000cc 0000000000000000 A 0 0 8
[20] .init_array INIT_ARRAY 0000000000003dd0 00002dd0 0000000000000008 0000000000000008 WA 0 0 8
[21] .fini_array FINI_ARRAY 0000000000003dd8 00002dd8 0000000000000008 0000000000000008 WA 0 0 8
[22] .dynamic DYNAMIC 0000000000003de0 00002de0 00000000000001e0 0000000000000010 WA 7 0 8
[23] .got PROGBITS 0000000000003fc0 00002fc0 0000000000000028 0000000000000008 WA 0 0 8
[24] .got.plt PROGBITS 0000000000003fe8 00002fe8 0000000000000028 0000000000000008 WA 0 0 8
[25] .data PROGBITS 0000000000004010 00003010 0000000000000010 0000000000000000 WA 0 0 8
[26] .bss NOBITS 0000000000004020 00003020 0000000000000008 0000000000000000 WA 0 0 1
[27] .comment PROGBITS 0000000000000000 00003020 000000000000001f 0000000000000001 MS 0 0 1
[28] .debug_aranges PROGBITS 0000000000000000 0000303f 0000000000000030 0000000000000000 0 0 1
[29] .debug_info PROGBITS 0000000000000000 0000306f 000000000000012d 0000000000000000 0 0 1
[30] .debug_abbrev PROGBITS 0000000000000000 0000319c 00000000000000eb 0000000000000000 0 0 1
[31] .debug_line PROGBITS 0000000000000000 00003287 000000000000006c 0000000000000000 0 0 1
[32] .debug_str PROGBITS 0000000000000000 000032f3 00000000000000bc 0000000000000001 MS 0 0 1
[33] .debug_line_str PROGBITS 0000000000000000 000033af 000000000000003f 0000000000000001 MS 0 0 1
[34] .symtab SYMTAB 0000000000000000 000033f0 0000000000000390 0000000000000018 35 18 8
[35] .strtab STRTAB 0000000000000000 00003780 0000000000000200 0000000000000000 0 0 1
[36] .shstrtab STRTAB 0000000000000000 00003980 000000000000016a 0000000000000000 0 0 1
Key to Flags:
W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
L (link order), O (extra OS processing required), G (group), T (TLS),
C (compressed), x (unknown), o (OS specific), E (exclude),
D (mbind), l (large), p (processor specific)
GDBã§ãƒ‡ãƒãƒƒã‚°ã‚’開始ã—ã¦ã¿ã‚‹
ã§ã¯ã€æ—©é€Ÿèµ·å‹•ã—ã¦ã¿ã¾ã™ã€‚èµ·å‹•ã™ã‚‹ã¨ã€ä»¥ä¸‹ã®ã‚ˆã†ã«ã€å…¥åŠ›å¾…ã¡ã®çŠ¶æ…‹ã«ãªã‚Šã¾ã™ã€‚
$ gdb -q hello_world.out
no key sequence terminator:
Reading symbols from hello_world.out...
gdb-peda$
ã“ã“ã§ã€ã‚·ãƒ³ãƒœãƒ«ãŒæ®‹ã£ã¦ã‚‹ï¼ˆmain関数ãŒåˆ†ã‹ã‚‹ï¼‰å ´åˆã¯ã€start を実行ã™ã‚‹ã¨ main関数ã®å…ˆé ã§æ¢ã¾ã£ã¦ãã‚Œã¾ã™ã€‚一方ã€run を実行ã™ã‚‹ã¨ã€main関数ã§ã¯æ¢ã¾ã‚‰ãšã€ãƒ–レークãƒã‚¤ãƒ³ãƒˆã§æ¢ã¾ã‚‹ã€ã‚‚ã—ãã¯ã€ãƒ—ãƒã‚°ãƒ©ãƒ ã®æœ€å¾Œã¾ã§å®Ÿè¡Œã•ã‚Œã¾ã™ã€‚
start を実行ã—ã¦ã¿ã¾ã™ã€‚æƒ…å ±é‡å¤šã„ã§ã™ã。
Warning: 'set logging off', an alias for the command 'set logging enabled', is deprecated.
Use 'set logging enabled off'.
Warning: 'set logging on', an alias for the command 'set logging enabled', is deprecated.
Use 'set logging enabled on'.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[----------------------------------registers-----------------------------------]
RAX: 0x555555555185 (<main>: push rbp)
RBX: 0x7fffffffe358 --> 0x7fffffffe5da ("/home/user/svn/experiment/c/hello_world.out")
RCX: 0x555555557dd8 --> 0x555555555100 (<__do_global_dtors_aux>: endbr64)
RDX: 0x7fffffffe368 --> 0x7fffffffe606 ("SHELL=/bin/bash")
RSI: 0x7fffffffe358 --> 0x7fffffffe5da ("/home/user/svn/experiment/c/hello_world.out")
RDI: 0x1
RBP: 0x7fffffffe240 --> 0x1
RSP: 0x7fffffffe220 --> 0x7fffffffe358 --> 0x7fffffffe5da ("/home/user/svn/experiment/c/hello_world.out")
RIP: 0x555555555194 (<main+15>: call 0x555555555149 <sub>)
R8 : 0x0
R9 : 0x7ffff7fcf680 (<_dl_fini>: push rbp)
R10: 0x7ffff7fcb878 --> 0xc00120000000e
R11: 0x7ffff7fe1930 (<_dl_audit_preinit>: mov eax,DWORD PTR [rip+0x1b4e2]
R12: 0x0
R13: 0x7fffffffe368 --> 0x7fffffffe606 ("SHELL=/bin/bash")
R14: 0x555555557dd8 --> 0x555555555100 (<__do_global_dtors_aux>: endbr64)
R15: 0x7ffff7ffd020 --> 0x7ffff7ffe2e0 --> 0x555555554000 --> 0x10102464c457f
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x555555555189 <main+4>: sub rsp,0x20
0x55555555518d <main+8>: mov DWORD PTR [rbp-0x14],edi
0x555555555190 <main+11>: mov QWORD PTR [rbp-0x20],rsi
=> 0x555555555194 <main+15>: call 0x555555555149 <sub>
0x555555555199 <main+20>: mov DWORD PTR [rbp-0x4],eax
0x55555555519c <main+23>: cmp DWORD PTR [rbp-0x4],0x0
0x5555555551a0 <main+27>: jle 0x5555555551a9 <main+36>
0x5555555551a2 <main+29>: mov eax,0x0
No argument
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe220 --> 0x7fffffffe358 --> 0x7fffffffe5da ("/home/user/svn/experiment/c/hello_world.out")
0008| 0x7fffffffe228 --> 0x100000000
0016| 0x7fffffffe230 --> 0x0
0024| 0x7fffffffe238 --> 0x0
0032| 0x7fffffffe240 --> 0x1
0040| 0x7fffffffe248 --> 0x7ffff7df124a (<__libc_start_call_main+122>: mov edi,eax)
0048| 0x7fffffffe250 --> 0x0
0056| 0x7fffffffe258 --> 0x555555555185 (<main>: push rbp)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Temporary breakpoint 1, main (argc=0x1, argv=0x7fffffffe358) at hello_world.c:18
18 ret = sub();
gdb-peda$
GDB ã§ã¯ã€ASLR(Address Space Layout Randomization)ã¯ã€ãƒ‡ãƒ•ã‚©ãƒ«ãƒˆã§ç„¡åŠ¹ã«ãªã£ã¦ã„る(有効ã«ã™ã‚‹ã“ã¨ã‚‚ã§ãる)ã®ã§ã€æ¯Žå›žåŒã˜ã‚¢ãƒ‰ãƒ¬ã‚¹é…ç½®ã«ãªã‚Šã¾ã™ã€‚
ã¾ãŸã€æœ€å¾Œã¾ã§å®Ÿè¡Œã—ãŸçŠ¶æ…‹ã§ã€ã‚‚ã†ä¸€åº¦ã€run ãªã©ã‚’実行ã™ã‚‹ã¨ã€å†å®Ÿè¡Œã™ã‚‹ã“ã¨ãŒå‡ºæ¥ã¾ã™ã€‚
x86-64ã®åŸºæœ¬çš„ãªå‹•ä½œã‚’ç†è§£ã™ã‚‹
主è¦ãªãƒ¬ã‚¸ã‚¹ã‚¿ã®ç†è§£
ã¾ãšã€ãƒ¬ã‚¸ã‚¹ã‚¿ã«ã¤ã„ã¦ç°¡å˜ã«ç†è§£ã—ã¦ãŠãã¾ã™ã€‚
| レジスタå |
æ¦‚è¦ |
用途 |
| RIP |
プãƒã‚°ãƒ©ãƒ カウンタ |
ç¾åœ¨ã®ãƒ—ãƒã‚°ãƒ©ãƒ ã®ä½ç½®ã‚¢ãƒ‰ãƒ¬ã‚¹ |
| RSP |
スタックãƒã‚¤ãƒ³ã‚¿ |
ç¾åœ¨ã®ã‚¹ã‚¿ãƒƒã‚¯ãƒã‚¤ãƒ³ã‚¿ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ |
| RBP |
ベースãƒã‚¤ãƒ³ã‚¿ |
関数内ã§ã‚¹ã‚¿ãƒƒã‚¯é ˜åŸŸã‚’扱ã†åŸºæº–ã¨ãªã‚‹ã‚¢ãƒ‰ãƒ¬ã‚¹ |
x86-64 ã§ã¯ã€é–¢æ•°å‘¼ã³å‡ºã—ã§ã¯ã€ä»¥ä¸‹ã®å‹•ä½œã‚’è¡Œã„ã¾ã™ã€‚
- call命令ã§ã¯ã€call命令ã®æ¬¡ã®å‘½ä»¤ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’スタック㫠push ã—ã¦ã€RIP を関数ã®å…ˆé アドレスã«ã‚»ãƒƒãƒˆã™ã‚‹
- 呼ã³å‡ºã—å…ƒã§ä½¿ç”¨ã—ã¦ã„㟠RBP をスタック㫠push ã™ã‚‹
- ç¾åœ¨ã® RSP ã‚’ RBP ã«ã‚»ãƒƒãƒˆã™ã‚‹
ã“ã®å¾Œã€é–¢æ•°ã®å†…部ã§ã¯ã€RBP を基準ã¨ã—ã¦ã‚¹ã‚¿ãƒƒã‚¯ã‚’扱ã„ã¾ã™ã€‚
ã¾ãŸã€é–¢æ•°ã®æœ€å¾Œã§ã¯ä»¥ä¸‹ã®å‹•ä½œã‚’è¡Œã„ã¾ã™ã€‚1. 㨠2. 㯠leave命令ã§ã‚‚åŒã˜å‹•ä½œã«ãªã‚Šã¾ã™ã€‚
- RBP ã‚’ RSP ã«ã‚»ãƒƒãƒˆã™ã‚‹ï¼ˆRSP ã¯ä¸Šã®é–¢æ•°å‘¼ã³å‡ºã—ã® 3. ã«æˆ»ã‚‹ï¼‰
- スタックを RBP ã« pop ã™ã‚‹ï¼ˆRBP も関数呼ã³å‡ºã—時ã®çŠ¶æ…‹ã«æˆ»ã‚‹ï¼‰
- ret命令ã§ã¯ã€ç¾åœ¨ã®ã‚¹ã‚¿ãƒƒã‚¯ï¼ˆä¸Šã®é–¢æ•°å‘¼ã³å‡ºã—ã® 1. ã§ä¿å˜ã—ã¦ã„㟠call命令ã®æ¬¡ã®å‘½ä»¤ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ï¼‰ã‚’ pop ã—㦠RIP ã«ã‚»ãƒƒãƒˆã™ã‚‹
ã“ã‚Œã«ã‚ˆã‚Šã€é–¢æ•°ã®å‘¼ã³å‡ºã—å…ƒã§ã¯ã€call命令ã®å®Ÿè¡Œå‰ã¨å®Ÿè¡Œå¾Œã§ã€RSPã€RBP ãŒåŒã˜çŠ¶æ…‹ãŒä¿æŒã•ã‚Œã¾ã™ã€‚
スタック
大ãã„アドレスã‹ã‚‰å°ã•ã„アドレスã«å‘ã‹ã£ã¦ã€ã‚¹ã‚¿ãƒƒã‚¯ã¯ä½¿ã‚ã‚Œã¦ã„ãã¾ã™ã€‚
関数ã®å‘¼ã³å‡ºã—è¦ç´„
x86-64 ã®é–¢æ•°ã®å‘¼ã³å‡ºã—è¦ç´„ã¯ã€x86 ã¨ç•°ãªã‚Šã¾ã™ã€‚
x86 ã¯ã€å¼•æ•°ã¯é€†é †ï¼ˆ3ã¤ã®å¼•æ•°ã®ã¨ãã€ç¬¬3引数→第2引数→第1引数ã®é †ï¼‰ã§ã€å…¨ã¦ã‚¹ã‚¿ãƒƒã‚¯ã«ç©ã¾ã‚Œã¾ã™ã€‚戻り値㯠EAX ã«æ ¼ç´ã•ã‚Œã€é–¢æ•°ã®å‘¼ã³å‡ºã—å…ƒãŒã‚¹ã‚¿ãƒƒã‚¯ã‚’解放ã—ã¾ã™ã€‚
x86-64 ã§ã¯ã€å¼•æ•°ã¯ç¬¬6引数ã¾ã§ãƒ¬ã‚¸ã‚¹ã‚¿ã§æ¸¡ã•ã‚Œã€ãれ以é™ã¯ã‚¹ã‚¿ãƒƒã‚¯ã«ç©ã¾ã‚Œã¾ã™ã€‚レジスタã®é †ã¯ã€ä»¥ä¸‹ã®é€šã‚Šã§ã™ã€‚
| 第1引数 |
第2引数 |
第3引数 |
第4引数 |
第5引数 |
第6引数 |
| RDI |
RSI |
RDX |
RCX |
R8 |
R9 |
戻り値㯠RAX ã«æ ¼ç´ã•ã‚Œã¾ã™ã€‚
システムコールã®å ´åˆã¯ã€å°‘ã—ç•°ãªã‚Šã€ä»¥ä¸‹ã®ã‚ˆã†ã«ãªã£ã¦ã„ã¾ã™ã€‚
| アーã‚テクãƒãƒ£ |
命令 |
ç•ªå· |
第1引数 |
第2引数 |
第3引数 |
第4引数 |
第5引数 |
第6引数 |
| x86 |
int 0x80 |
eax |
ebx |
ecx |
edx |
esi |
edi |
ebp |
| x86-64 |
syscall |
RAX |
RDI |
RSI |
RDX |
r10 |
r8 |
r9 |
ç ´å£Šï¼ˆæ®ç™ºæ€§ï¼‰ãƒ¬ã‚¸ã‚¹ã‚¿ã¨éžç ´å£Šï¼ˆä¸æ®ç™ºæ€§ï¼‰ãƒ¬ã‚¸ã‚¹ã‚¿
- ç ´å£Šï¼ˆæ®ç™ºæ€§ï¼‰ãƒ¬ã‚¸ã‚¹ã‚¿ï¼šRAXã€RCXã€RDXã€R8~R11ã€XMM0~XMM5
- éžç ´å£Šï¼ˆä¸æ®ç™ºæ€§ï¼‰ãƒ¬ã‚¸ã‚¹ã‚¿ï¼šRBXã€RBPã€RDIã€RSIã€RSPã€R12~R15ã€XMM6~XMM15
ç°¡å˜ãªãƒ—ãƒã‚°ãƒ©ãƒ ã§x86-64 ELFã‚’GDBã§ãƒ‡ãƒãƒƒã‚°ã—ã¦ã¿ã‚‹
ã“ã‚Œã¾ã§ã‚’è¸ã¾ãˆã¦ã€ç†è§£ã—ãŸã‚¢ã‚»ãƒ³ãƒ–ラã®å†…容を書ã„ã¦ã„ãã¾ã™ã€‚
main関数ã®ã‚¢ã‚»ãƒ³ãƒ–ラã®å†…容
ã¾ãšã€main関数ã§ã™ã€‚
最åˆã®2è¡Œã¯ã€main関数ã§ã‚ã£ã¦ã‚‚ã€ãŠæ±ºã¾ã‚Šã®2è¡Œã§ã™ã€‚ãã®å¾Œã® sub rsp,0x20 ã¯ã€main関数ã§ä½¿ç”¨ã™ã‚‹ãƒãƒ¼ã‚«ãƒ«å¤‰æ•°ã®ãŸã‚ã«ã€ã‚¹ã‚¿ãƒƒã‚¯ã‚’確ä¿ã—ã¦ã„ã¾ã™ã€‚
mov DWORD PTR [rbp-0x14],edi 㨠mov QWORD PTR [rbp-0x20],rsi ã¯ã€ç¢ºä¿ã—ãŸã‚¹ã‚¿ãƒƒã‚¯ã«ãƒ¬ã‚¸ã‚¹ã‚¿ã®å€¤ã‚’退é¿ã—ã¦ã„ã‚‹ã®ã ã¨æ€ã„ã¾ã™ãŒã€ç†ç”±ã¯åˆ†ã‹ã‚Šã¾ã›ã‚“。RDI 㨠RSI ã¯ã€éžç ´å£Šãƒ¬ã‚¸ã‚¹ã‚¿ãªã®ã§ã€ä¸Šä½ã§ã‚±ã‚¢ã™ã‚‹å¿…è¦ã¯ãªã„ã¯ãšã§ã™ã€‚ã¾ãŸã€main関数ã¨ã—ã¦é€€é¿ã—ã¦ã‚‹ã®ã‹ã¨æ€ã„ã¾ã—ãŸãŒã€ä½¿ç”¨ã—ã¦ã„ãªã„ã®ã§å¿…è¦ãªã„ã¯ãšã§ã™ã€‚
call命令ã§ã€sub関数を呼ã³å‡ºã—ã€ãã®å¾Œã€æˆ»ã‚Šå€¤ãŒ EAX ã«å…¥ã£ã¦ã‚‹ã®ã§ã€ç¢ºä¿ã—ãŸã‚¹ã‚¿ãƒƒã‚¯ã«æ ¼ç´ã—ã¦ã„ã¾ã™ã€‚cmp命令㧠0 ã¨æ¯”較ã—ã¦ã€jle命令ã§åˆ†å²ã—ã¾ã™ã€‚
cmp命令㨠test命令ã¯ã‚¹ãƒ†ãƒ¼ã‚¿ã‚¹ãƒ¬ã‚¸ã‚¹ã‚¿ã«çµæžœã‚’åæ˜ ã™ã‚‹ã ã‘ã§çµæžœã¯ãƒ¬ã‚¸ã‚¹ã‚¿ã«ä¿å˜ã—ã¾ã›ã‚“。jle命令ã¯ã€æœ€åˆã« Jump ã® J ãŒä»˜ã„ã¦ã‚‹ã®ã§ã€ã‚¸ãƒ£ãƒ³ãƒ—命令ã§ã€le ã¯ï¼ˆãŸã¶ã‚“ã§ã™ãŒï¼‰less than equal ãªã®ã§ã€å°ã•ã„ã‹ç‰ã—ã„å ´åˆã«ã‚¸ãƒ£ãƒ³ãƒ—ã—ã¾ã™ã€‚
ã¤ã¾ã‚Šã€sub関数ã®æˆ»ã‚Šå€¤ãŒã€0 ã¨æ¯”ã¹ã¦ã€å°ã•ã„ã€ã‚‚ã—ãã¯ã€ç‰ã—ã„å ´åˆã« main+36(1 ã‚’è¿”ã™æ–¹ï¼‰ã«ã‚¸ãƒ£ãƒ³ãƒ—ã—ã¾ã™ã€‚ãã†ã§ãªã‘ã‚Œã°ã€0 ã‚’è¿”ã™æ–¹ã‚’通りã€main+41 ã«ã‚¸ãƒ£ãƒ³ãƒ—ã—ã¾ã™ã€‚
最後ã¯ã€ã“ã¡ã‚‰ã‚‚ã€main関数ã§ã‚ã£ã¦ã‚‚ã€ãŠæ±ºã¾ã‚Šã®2è¡Œã§ã™ã€‚
gdb-peda$ disas main
Dump of assembler code for function main:
0x0000555555555185 <+0>: push rbp
0x0000555555555186 <+1>: mov rbp,rsp
0x0000555555555189 <+4>: sub rsp,0x20
0x000055555555518d <+8>: mov DWORD PTR [rbp-0x14],edi
0x0000555555555190 <+11>: mov QWORD PTR [rbp-0x20],rsi
=> 0x0000555555555194 <+15>: call 0x555555555149 <sub>
0x0000555555555199 <+20>: mov DWORD PTR [rbp-0x4],eax
0x000055555555519c <+23>: cmp DWORD PTR [rbp-0x4],0x0
0x00005555555551a0 <+27>: jle 0x5555555551a9 <main+36>
0x00005555555551a2 <+29>: mov eax,0x0
0x00005555555551a7 <+34>: jmp 0x5555555551ae <main+41>
0x00005555555551a9 <+36>: mov eax,0x1
0x00005555555551ae <+41>: leave
0x00005555555551af <+42>: ret
End of assembler dump.
sub関数ã®ã‚¢ã‚»ãƒ³ãƒ–ラã®å†…容
続ã„ã¦ã€sub関数ã§ã™ã€‚上ã§èª¬æ˜Žã—ãŸã‚‚ã®ã¯çœç•¥ã—ã¾ã™ã€‚
lea rax,[rip+0xeac] # 0x555555556004 ã¯ã€RIP+0xEAC ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’ RAX ã«è¨å®šã—ã¾ã™ã€‚RIP ã¯ã€1ã¤é€²ã‚“ã ã¨ã“ã‚(0x0000555555555158)ã«ãªã‚Šã¾ã™ã€‚コメントã®é€šã‚Šã€çµæžœã¯ã€0x555555556004 ã«ãªã‚Šã¾ã™ã€‚GDB ã§ã€ãã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’見ã¦ã¿ã¾ã—ãŸã€‚printf関数ã®å¼•æ•°ãŒå…¥ã£ã¦ã„ã¾ã—ãŸã€‚
gdb-peda$ x/s 0x555555556004
0x555555556004: "input data: "
引数を RDI ã«æ ¼ç´ã—ã¦ã€printf関数を呼ã³å‡ºã—ã¦ã„ã¾ã™ã€‚ãã®å¾Œã€scanf関数を呼ã³å‡ºã™ãŸã‚ã«ã€ã¾ãŸ lea命令ãŒã‚ã‚Šã¾ã™ã€‚第2引数ã‹ã‚‰æº–å‚™ã—ã¦ã„ã¾ã™ã€‚スタックã®ã‚¢ãƒ‰ãƒ¬ã‚¹ï¼ˆãƒãƒ¼ã‚«ãƒ«å¤‰æ•°ï¼‰ã‚’ RSI ã«ã‚»ãƒƒãƒˆã—ã¦ã„ã¾ã™ã€‚第1引数ã«ã¤ã„ã¦ã¯ã€ä¸€å¿œå†…容を確èªã—ã¦ãŠãã¾ã™ã€‚æ£ã—ãã€%d ãŒå…¥ã£ã¦ã„ã¾ã—ãŸã€‚
$ x/s 0x555555556011
0x555555556011: "%d"
ã‚ã¨ã¯ã€sub関数ã®æˆ»ã‚Šå€¤ã¨ã—ã¦ã€scanf関数ã®çµæžœã®ç¬¬2引数ã®å€¤ã‚’戻り値㮠EAX ã«ã‚»ãƒƒãƒˆã—ã¦çµ‚了ã§ã™ã€‚
gdb-peda$ disas sub
Dump of assembler code for function sub:
0x0000555555555149 <+0>: push rbp
0x000055555555514a <+1>: mov rbp,rsp
0x000055555555514d <+4>: sub rsp,0x10
0x0000555555555151 <+8>: lea rax,[rip+0xeac]
0x0000555555555158 <+15>: mov rdi,rax
0x000055555555515b <+18>: mov eax,0x0
0x0000555555555160 <+23>: call 0x555555555030 <printf@plt>
0x0000555555555165 <+28>: lea rax,[rbp-0x4]
0x0000555555555169 <+32>: mov rsi,rax
0x000055555555516c <+35>: lea rax,[rip+0xe9e]
0x0000555555555173 <+42>: mov rdi,rax
0x0000555555555176 <+45>: mov eax,0x0
0x000055555555517b <+50>: call 0x555555555040 <__isoc99_scanf@plt>
0x0000555555555180 <+55>: mov eax,DWORD PTR [rbp-0x4]
0x0000555555555183 <+58>: leave
0x0000555555555184 <+59>: ret
End of assembler dump.
ç°¡å˜ãªãƒ—ãƒã‚°ãƒ©ãƒ ã‚’stripã—ã¦GDBã§ãƒ‡ãƒãƒƒã‚°ã—ã¦ã¿ã‚‹
ã“ã‚Œã¾ã§ã¯ã€strip ã•ã‚Œã¦ã„ãªã„(デãƒãƒƒã‚°æƒ…å ±ãŒæ®‹ã£ã¦ã„る)プãƒã‚°ãƒ©ãƒ を扱ã£ã¦ãã¾ã—ãŸãŒã€æ™®é€šã¯ strip ã•ã‚Œã¦ã„る(デãƒãƒƒã‚°æƒ…å ±ã¯æ®‹ã£ã¦ã„ãªã„)ã¨æ€ã„ã¾ã™ã€‚ã“ã“ã‹ã‚‰ã¯ã€å…ˆã»ã©ã®ãƒ—ãƒã‚°ãƒ©ãƒ ã‚’ strip ã—ã¦ã€GDB ã§ãƒ‡ãƒãƒƒã‚°ã—ã¦ã¿ã¾ã™ã€‚
$ cp hello_world.out hello_world_strip.out
$ strip hello_world_strip.out
$ ll hello_world.out hello_world_strip.out
-rwxr-xr-x 1 user user 18K Sep 7 22:19 hello_world.out*
-rwxr-xr-x 1 user user 15K Sep 8 17:59 hello_world_strip.out*
プãƒã‚°ãƒ©ãƒ ã®æ¦‚è¦ã‚’調ã¹ã‚‹
strip ã—ã¦ã„ãªã„ã€ãƒ‡ãƒãƒƒã‚°æƒ…å ±ã®ã‚るプãƒã‚°ãƒ©ãƒ ã§ã¯ã€readelf ã®æƒ…å ±ã‚’ä½¿ã‚ãªãã¦ã‚‚デãƒãƒƒã‚°å‡ºæ¥ã¾ã—ãŸãŒã€strip ã•ã‚ŒãŸãƒ—ãƒã‚°ãƒ©ãƒ ã®å ´åˆã¯ã€ã“ã®æƒ…å ±ãŒé‡è¦ã«ãªã‚Šã¾ã™ã€‚
エントリãƒã‚¤ãƒ³ãƒˆã¯ã€å…ˆã»ã©ã¨åŒã˜ã§ã€0x1060 ã‹ã‚‰å§‹ã¾ã£ã¦ã„ã¾ã™ã€‚
$ file hello_world_strip.out
hello_world_strip.out: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV),
dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2,
BuildID[sha1]=89d00684582cd697b573c0fd49c38d4f17146450, for GNU/Linux 3.2.0, stripped
$ readelf -h hello_world_strip.out
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2 s complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: DYN (Position-Independent Executable file)
Machine: Advanced Micro Devices X86-64
Version: 0x1
Entry point address: 0x1060
Start of program headers: 64 (bytes into file)
Start of section headers: 12624 (bytes into file)
Flags: 0x0
Size of this header: 64 (bytes)
Size of program headers: 56 (bytes)
Number of program headers: 13
Size of section headers: 64 (bytes)
Number of section headers: 29
Section header string table index: 28
$ readelf -l hello_world_strip.out
Elf file type is DYN (Position-Independent Executable file)
Entry point 0x1060
There are 13 program headers, starting at offset 64
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flags Align
PHDR 0x0000000000000040 0x0000000000000040 0x0000000000000040 0x00000000000002d8 0x00000000000002d8 R 0x8
INTERP 0x0000000000000318 0x0000000000000318 0x0000000000000318 0x000000000000001c 0x000000000000001c R 0x1
[Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]
LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000670 0x0000000000000670 R 0x1000
LOAD 0x0000000000001000 0x0000000000001000 0x0000000000001000 0x00000000000001b9 0x00000000000001b9 R E 0x1000
LOAD 0x0000000000002000 0x0000000000002000 0x0000000000002000 0x0000000000000114 0x0000000000000114 R 0x1000
LOAD 0x0000000000002dd0 0x0000000000003dd0 0x0000000000003dd0 0x0000000000000250 0x0000000000000258 RW 0x1000
DYNAMIC 0x0000000000002de0 0x0000000000003de0 0x0000000000003de0 0x00000000000001e0 0x00000000000001e0 RW 0x8
NOTE 0x0000000000000338 0x0000000000000338 0x0000000000000338 0x0000000000000020 0x0000000000000020 R 0x8
NOTE 0x0000000000000358 0x0000000000000358 0x0000000000000358 0x0000000000000044 0x0000000000000044 R 0x4
GNU_PROPERTY 0x0000000000000338 0x0000000000000338 0x0000000000000338 0x0000000000000020 0x0000000000000020 R 0x8
GNU_EH_FRAME 0x0000000000002014 0x0000000000002014 0x0000000000002014 0x0000000000000034 0x0000000000000034 R 0x4
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 RW 0x10
GNU_RELRO 0x0000000000002dd0 0x0000000000003dd0 0x0000000000003dd0 0x0000000000000230 0x0000000000000230 R 0x1
Section to Segment mapping:
Segment Sections...
00
01 .interp
02 .interp .note.gnu.property .note.gnu.build-id .note.ABI-tag .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt
03 .init .plt .plt.got .text .fini
04 .rodata .eh_frame_hdr .eh_frame
05 .init_array .fini_array .dynamic .got .got.plt .data .bss
06 .dynamic
07 .note.gnu.property
08 .note.gnu.build-id .note.ABI-tag
09 .note.gnu.property
10 .eh_frame_hdr
11
12 .init_array .fini_array .dynamic .got
$ readelf -S hello_world_strip.out
There are 29 section headers, starting at offset 0x3150:
Section Headers:
[Nr] Name Type Address Offset Size EntSize Flags Link Info Align
[ 0] NULL 0000000000000000 00000000 0000000000000000 0000000000000000 0 0 0
[ 1] .interp PROGBITS 0000000000000318 00000318 000000000000001c 0000000000000000 A 0 0 1
[ 2] .note.gnu.pr[...] NOTE 0000000000000338 00000338 0000000000000020 0000000000000000 A 0 0 8
[ 3] .note.gnu.bu[...] NOTE 0000000000000358 00000358 0000000000000024 0000000000000000 A 0 0 4
[ 4] .note.ABI-tag NOTE 000000000000037c 0000037c 0000000000000020 0000000000000000 A 0 0 4
[ 5] .gnu.hash GNU_HASH 00000000000003a0 000003a0 0000000000000024 0000000000000000 A 6 0 8
[ 6] .dynsym DYNSYM 00000000000003c8 000003c8 00000000000000c0 0000000000000018 A 7 1 8
[ 7] .dynstr STRTAB 0000000000000488 00000488 00000000000000a8 0000000000000000 A 0 0 1
[ 8] .gnu.version VERSYM 0000000000000530 00000530 0000000000000010 0000000000000002 A 6 0 2
[ 9] .gnu.version_r VERNEED 0000000000000540 00000540 0000000000000040 0000000000000000 A 7 1 8
[10] .rela.dyn RELA 0000000000000580 00000580 00000000000000c0 0000000000000018 A 6 0 8
[11] .rela.plt RELA 0000000000000640 00000640 0000000000000030 0000000000000018 AI 6 24 8
[12] .init PROGBITS 0000000000001000 00001000 0000000000000017 0000000000000000 AX 0 0 4
[13] .plt PROGBITS 0000000000001020 00001020 0000000000000030 0000000000000010 AX 0 0 16
[14] .plt.got PROGBITS 0000000000001050 00001050 0000000000000008 0000000000000008 AX 0 0 8
[15] .text PROGBITS 0000000000001060 00001060 0000000000000150 0000000000000000 AX 0 0 16
[16] .fini PROGBITS 00000000000011b0 000011b0 0000000000000009 0000000000000000 AX 0 0 4
[17] .rodata PROGBITS 0000000000002000 00002000 0000000000000014 0000000000000000 A 0 0 4
[18] .eh_frame_hdr PROGBITS 0000000000002014 00002014 0000000000000034 0000000000000000 A 0 0 4
[19] .eh_frame PROGBITS 0000000000002048 00002048 00000000000000cc 0000000000000000 A 0 0 8
[20] .init_array INIT_ARRAY 0000000000003dd0 00002dd0 0000000000000008 0000000000000008 WA 0 0 8
[21] .fini_array FINI_ARRAY 0000000000003dd8 00002dd8 0000000000000008 0000000000000008 WA 0 0 8
[22] .dynamic DYNAMIC 0000000000003de0 00002de0 00000000000001e0 0000000000000010 WA 7 0 8
[23] .got PROGBITS 0000000000003fc0 00002fc0 0000000000000028 0000000000000008 WA 0 0 8
[24] .got.plt PROGBITS 0000000000003fe8 00002fe8 0000000000000028 0000000000000008 WA 0 0 8
[25] .data PROGBITS 0000000000004010 00003010 0000000000000010 0000000000000000 WA 0 0 8
[26] .bss NOBITS 0000000000004020 00003020 0000000000000008 0000000000000000 WA 0 0 1
[27] .comment PROGBITS 0000000000000000 00003020 000000000000001f 0000000000000001 MS 0 0 1
[28] .shstrtab STRTAB 0000000000000000 0000303f 000000000000010a 0000000000000000 0 0 1
Key to Flags:
W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
L (link order), O (extra OS processing required), G (group), T (TLS),
C (compressed), x (unknown), o (OS specific), E (exclude),
D (mbind), l (large), p (processor specific)
Ghidraを使ã£ã¦main関数ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’特定ã™ã‚‹
hello_world_strip.out ã«ã¤ã„ã¦ã€Ghidra を使ã£ã¦è§£æžã—ã¾ã™ã€‚
Ghidra ã®ç’°å¢ƒæ§‹ç¯‰ã¨ä½¿ã„æ–¹ã«ã¤ã„ã¦ã¯ã€ä»¥ä¸‹ã‚’å‚ç…§ã—ã¦ãã ã•ã„。
daisuke20240310.hatenablog.com
daisuke20240310.hatenablog.com
Ghidra ã‚’èµ·å‹•ã—ã¦ã€hello-world-strip ã¨ã„ã†åå‰ã§ãƒ—ãƒã‚¸ã‚§ã‚¯ãƒˆã‚’作りã€hello_world_strip.out を解æžã•ã›ã¾ã™ã€‚解æžãŒçµ‚ã‚ã‚‹ã¨ã€entry ãŒè¡¨ç¤ºã•ã‚Œã¾ã—ãŸã€‚ãªãŠã€Window → Memory Map ã‚’é–‹ãã€å®¶ã®ã‚¢ã‚¤ã‚³ãƒ³ã‚’クリックã—ã¦ã€Base Image Address ã¯ã€0 ã«å¤‰æ›´ã—ã¾ã—ãŸã€‚
逆コンパイル画é¢ã‚’見るã¨ã€__libc_start_main() ãŒè¦‹ãˆã¾ã™ã€‚第1引数㌠main関数ãªã®ã§ã€FUN_00001185 をダブルクリックã—ã¾ã™ã€‚
Ghidraã§entryãŒè¡¨ç¤ºã•ã‚ŒãŸã¨ã“ã‚
ã™ã‚‹ã¨ã€main関数ãŒè¡¨ç¤ºã•ã‚Œã¾ã—ãŸã€‚main関数ã¨ã¯æ›¸ã„ã¦ã¾ã›ã‚“ãŒã€å…ˆã»ã©ã¨åŒã˜ã‚¢ã‚»ãƒ³ãƒ–ラコードãŒä¸¦ã‚“ã§ã„ã¾ã™ã€‚
Ghidraã§main関数ãŒè¡¨ç¤ºã•ã‚ŒãŸã¨ã“ã‚
main関数ã®å…ˆé アドレスã¯ã€ãƒ•ã‚¡ã‚¤ãƒ«ã®å…ˆé ã‹ã‚‰ 0x1185 ã«ã‚ã‚‹ã“ã¨ãŒåˆ†ã‹ã‚Šã¾ã—ãŸã€‚
GDBã§ãƒ‡ãƒãƒƒã‚°ã‚’開始ã—ã¦ã¿ã‚‹
ã§ã¯ã€GDB ã‚’èµ·å‹•ã—ã¦ã¿ã¾ã™ã€‚å…ˆã»ã©ã¨é•ã£ã¦ã€ã‚·ãƒ³ãƒœãƒ«æƒ…å ±ãŒèªã¿è¾¼ã¾ã‚Œã¾ã›ã‚“ã§ã—ãŸã€‚
$ gdb -q hello_world_strip.out
no key sequence terminator:
Reading symbols from hello_world_strip.out...
(No debugging symbols found in hello_world_strip.out)
gdb-peda$
ã¾ãšã€å…ˆã»ã©ã¨åŒã˜ã‚ˆã†ã«ã€start を実行ã—ã¦ã¿ã¾ã™ã€‚_start ã§æ¢ã¾ã£ã¦ãã‚Œã¾ã—ãŸã€‚
gdb-peda$ start
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x0
RCX: 0x0
RDX: 0x0
RSI: 0x0
RDI: 0x0
RBP: 0x0
RSP: 0x7fffffffe340 --> 0x1
RIP: 0x7ffff7fe5a40 (<_start>: mov rdi,rsp)
R8 : 0x0
R9 : 0x0
R10: 0x0
R11: 0x0
R12: 0x0
R13: 0x0
R14: 0x0
R15: 0x0
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff7fe5a35 <_dl_help+1285>: call 0x7ffff7fd1120 <_dl_init_paths>
0x7ffff7fe5a3a <_dl_help+1290>: jmp 0x7ffff7fe5560 <_dl_help+48>
0x7ffff7fe5a3f: nop
=> 0x7ffff7fe5a40 <_start>: mov rdi,rsp
0x7ffff7fe5a43 <_start+3>: call 0x7ffff7fe6640 <_dl_start>
0x7ffff7fe5a48 <_dl_start_user>: mov r12,rax
0x7ffff7fe5a4b <_dl_start_user+3>: mov rdx,QWORD PTR [rsp]
0x7ffff7fe5a4f <_dl_start_user+7>: mov rsi,rdx
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe340 --> 0x1
0008| 0x7fffffffe348 --> 0x7fffffffe5ce ("/home/user/svn/experiment/c/hello_world_strip.out")
0016| 0x7fffffffe350 --> 0x0
0024| 0x7fffffffe358 --> 0x7fffffffe600 ("SHELL=/bin/bash")
0032| 0x7fffffffe360 --> 0x7fffffffe610 ("NMAP_PRIVILEGED=")
0040| 0x7fffffffe368 --> 0x7fffffffe621 ("PWD=/home/user/svn/experiment/c")
0048| 0x7fffffffe370 --> 0x7fffffffe641 ("LOGNAME=user")
0056| 0x7fffffffe378 --> 0x7fffffffe64e ("XDG_SESSION_TYPE=tty")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Temporary breakpoint 1, 0x00007ffff7fe5a40 in _start () from /lib64/ld-linux-x86-64.so.2
gdb-peda$
ã“ã“ã§ã€ãƒ—ãƒã‚»ã‚¹ã®ãƒžãƒƒãƒ—を調ã¹ã¾ã™ã€‚hello_world_strip.out ã¯ã€0x555555554000 ã«ãƒãƒ¼ãƒ‰ã•ã‚Œã¦ã„ã‚‹ã“ã¨ãŒåˆ†ã‹ã‚Šã¾ã™ã€‚å…ˆã»ã©ã€main関数ã®ä½ç½®ã¯ã€å…ˆé ã‹ã‚‰ 0x1185 ã¨åˆ†ã‹ã£ãŸã®ã§ã€ã“れらを足ã™ã¨ã€0x555555551185 ã« main関数ãŒå˜åœ¨ã—ã¦ã„ã‚‹ã¯ãšã§ã™ã€‚
gdb-peda$ i proc map
process 81015
Mapped address spaces:
Start Addr End Addr Size Offset Perms objfile
0x555555554000 0x555555555000 0x1000 0x0 r--p /home/user/svn/experiment/c/hello_world_strip.out
0x555555555000 0x555555556000 0x1000 0x1000 r-xp /home/user/svn/experiment/c/hello_world_strip.out
0x555555556000 0x555555557000 0x1000 0x2000 r--p /home/user/svn/experiment/c/hello_world_strip.out
0x555555557000 0x555555559000 0x2000 0x2000 rw-p /home/user/svn/experiment/c/hello_world_strip.out
0x7ffff7fc5000 0x7ffff7fc9000 0x4000 0x0 r--p [vvar]
0x7ffff7fc9000 0x7ffff7fcb000 0x2000 0x0 r-xp [vdso]
0x7ffff7fcb000 0x7ffff7fcc000 0x1000 0x0 r--p /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x7ffff7fcc000 0x7ffff7ff1000 0x25000 0x1000 r-xp /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x7ffff7ff1000 0x7ffff7ffb000 0xa000 0x26000 r--p /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x7ffff7ffb000 0x7ffff7fff000 0x4000 0x30000 rw-p /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x7ffffffde000 0x7ffffffff000 0x21000 0x0 rw-p [stack]
gdb-peda$
main関数を表示ã—ã¦ã¿ã¾ã™ã€‚無事ã«ã€main関数ãŒè¡¨ç¤ºã•ã‚Œã¾ã—ãŸã€‚
gdb-peda$ x/10i 0x555555555185
0x555555555185: push rbp
0x555555555186: mov rbp,rsp
0x555555555189: sub rsp,0x20
0x55555555518d: mov DWORD PTR [rbp-0x14],edi
0x555555555190: mov QWORD PTR [rbp-0x20],rsi
0x555555555194: call 0x555555555149
0x555555555199: mov DWORD PTR [rbp-0x4],eax
0x55555555519c: cmp DWORD PTR [rbp-0x4],0x0
0x5555555551a0: jle 0x5555555551a9
0x5555555551a2: mov eax,0x0
ã‚ã¨ã¯ã€main関数ã«ãƒ–レークãƒã‚¤ãƒ³ãƒˆã‚’è¨å®šã—ã¦ã€å®Ÿè¡Œã™ã‚Œã°ã€å…ˆã»ã©ã¨åŒã˜ã‚ˆã†ã«ãƒ‡ãƒãƒƒã‚°ãŒå‡ºæ¥ã¾ã™ã€‚
$ b *0x555555555185
Breakpoint 2 at 0x555555555185
gdb-peda$ i b
Num Type Disp Enb Address What
2 breakpoint keep y 0x0000555555555185
gdb-peda$ c
Continuing.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[----------------------------------registers-----------------------------------]
RAX: 0x555555555185 (push rbp)
RBX: 0x7fffffffe348 --> 0x7fffffffe5ce ("/home/user/svn/experiment/c/hello_world_strip.out")
RCX: 0x555555557dd8 --> 0x555555555100 (endbr64)
RDX: 0x7fffffffe358 --> 0x7fffffffe600 ("SHELL=/bin/bash")
RSI: 0x7fffffffe348 --> 0x7fffffffe5ce ("/home/user/svn/experiment/c/hello_world_strip.out")
RDI: 0x1
RBP: 0x1
RSP: 0x7fffffffe238 --> 0x7ffff7df124a (<__libc_start_call_main+122>: mov edi,eax)
RIP: 0x555555555185 (push rbp)
R8 : 0x0
R9 : 0x7ffff7fcf680 (<_dl_fini>: push rbp)
R10: 0x7ffff7fcb878 --> 0xc00120000000e
R11: 0x7ffff7fe1930 (<_dl_audit_preinit>: mov eax,DWORD PTR [rip+0x1b4e2]
R12: 0x0
R13: 0x7fffffffe358 --> 0x7fffffffe600 ("SHELL=/bin/bash")
R14: 0x555555557dd8 --> 0x555555555100 (endbr64)
R15: 0x7ffff7ffd020 --> 0x7ffff7ffe2e0 --> 0x555555554000 --> 0x10102464c457f
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x555555555180: mov eax,DWORD PTR [rbp-0x4]
0x555555555183: leave
0x555555555184: ret
=> 0x555555555185: push rbp
0x555555555186: mov rbp,rsp
0x555555555189: sub rsp,0x20
0x55555555518d: mov DWORD PTR [rbp-0x14],edi
0x555555555190: mov QWORD PTR [rbp-0x20],rsi
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe238 --> 0x7ffff7df124a (<__libc_start_call_main+122>: mov edi,eax)
0008| 0x7fffffffe240 --> 0x0
0016| 0x7fffffffe248 --> 0x555555555185 (push rbp)
0024| 0x7fffffffe250 --> 0x100000000
0032| 0x7fffffffe258 --> 0x7fffffffe348 --> 0x7fffffffe5ce ("/home/user/svn/experiment/c/hello_world_strip.out")
0040| 0x7fffffffe260 --> 0x7fffffffe348 --> 0x7fffffffe5ce ("/home/user/svn/experiment/c/hello_world_strip.out")
0048| 0x7fffffffe268 --> 0x3c24da9e3bd1cf39
0056| 0x7fffffffe270 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Breakpoint 2, 0x0000555555555185 in ?? ()
gdb-peda$
strip ã•ã‚ŒãŸãƒ—ãƒã‚°ãƒ©ãƒ ã‚’ GDB ã§ãƒ‡ãƒãƒƒã‚°ã™ã‚‹æ–¹æ³•ã¯ä»¥ä¸Šã§ã™ã€‚
ç¾æ™‚点ã§åˆ†ã‹ã£ã¦ãªã„ã“ã¨
- lea命令ãªã©ã§ã€RAX ã«è¨å®šã—ãŸå¾Œã€ä»–ã®ãƒ¬ã‚¸ã‚¹ã‚¿ã« mov ã—ã¦ã‚‹ãŒã€æœ€åˆã‹ã‚‰ä»–ã®ãƒ¬ã‚¸ã‚¹ã‚¿ã‚’対象㫠lea命令を実行ã§ããªã„ã®ã‹ï¼Ÿ
- ã‚る関数ã§ã€ãƒãƒ¼ã‚«ãƒ«å¤‰æ•°ã¨ã—ã¦ã‚¹ã‚¿ãƒƒã‚¯ã‚’ 4byte ã—ã‹ä½¿ã£ã¦ã„ãªã„ã®ã«ã€ã‚¹ã‚¿ãƒƒã‚¯ã¯ 16byte 確ä¿ã•ã‚Œã¦ã„ãŸãŒã€ãªãœã‹ï¼Ÿï¼ˆ8byteã§ã„ã„ã®ã§ã¯ï¼Ÿï¼‰
- 関数呼ã³å‡ºã—時㫠EAX をゼãƒã‚¯ãƒªã‚¢ã—ã¦ã‹ã‚‰é–¢æ•°ã‚’呼ã³å‡ºã—ã¦ã„ãŸãŒã€ãªãœã‹ï¼Ÿ
- RDI 㨠RSI ã¯ã€éžç ´å£Šãƒ¬ã‚¸ã‚¹ã‚¿ãªã®ã«ã€ä¸Šä½ã§é€€é¿ã—ã¦ã„ã‚‹ã®ã¯ãªãœã‹ï¼Ÿ
デãƒãƒƒã‚°ã‚³ãƒ³ã‚½ãƒ¼ãƒ«ã§ã‚ˆã使ã†GDBコマンド
GDB ã§ã¯ã€ç¾åœ¨ã®ãƒ¬ã‚¸ã‚¹ã‚¿ã®å€¤ã‚’見ãŸã‚Šã€é€†ã‚¢ã‚»ãƒ³ãƒ–ラコードを見ãŸã‚Šã€ã‚¹ãƒ†ãƒƒãƒ—実行ã—ãŸã‚Šã™ã‚‹ã¨ãã«ã€GDBã®ã‚³ãƒžãƒ³ãƒ‰ã‚’一覧ã«ã—ã¦ãŠãã¾ã™ã€‚VSCode ã§ã€GDBコマンドを実行ã™ã‚‹ã«ã¯ã€ãƒ‡ãƒãƒƒã‚°ã‚³ãƒ³ã‚½ãƒ¼ãƒ«ã‚’é–‹ã„ã¦ã€ã€Œ-exec GDBコマンドã€ã¨å…¥åŠ›ã—ã¾ã™ã€‚
例ãˆã°ã€info registers ã®ã‚³ãƒžãƒ³ãƒ‰ãŒå®Ÿè¡Œã—ãŸã„å ´åˆã¯ã€ã€Œ-exec info registersã€ã¨å…¥åŠ›ã—ã¦ãƒªã‚¿ãƒ¼ãƒ³ã‚ーを押ã™ã¨å®Ÿè¡Œã§ãã¾ã™ã€‚ã‚‚ã¡ã‚ã‚“ã€çŸç¸®å½¢ã®ã€Œ-exec i rã€ã§ã‚‚åŒã˜ã“ã¨ãŒå‡ºæ¥ã¾ã™ã€‚
以下ã®è¡¨ã§ã¯ã€-exec ã¯çœç•¥ã—ã¦ã„ã¾ã™ã€‚ã¾ãŸã€ãªã‚‹ã¹ãçŸç¸®å½¢ã®æ–¹ã‚’書ã„ã¦ã„ãã¾ã™ã€‚
| コマンド |
内容 |
| start |
実行開始ã™ã‚‹ï¼ˆã‚·ãƒ³ãƒœãƒ«æƒ…å ±ãŒã‚ã‚Œã°main関数ã§æ¢ã¾ã‚‹ï¼‰ |
| r(run) |
実行開始ã™ã‚‹ï¼ˆmain関数ã§æ¢ã¾ã‚‰ãªã„) |
| c(continue) |
実行をå†é–‹ã™ã‚‹ |
| s(step) |
C言語ã®ã‚¹ãƒ†ãƒƒãƒ—実行をã™ã‚‹ |
| si |
アセンブラã®ã‚¹ãƒ†ãƒƒãƒ—実行をã™ã‚‹ |
| n(next) |
C言語ã®ã‚¹ãƒ†ãƒƒãƒ—オーãƒãƒ¼ï¼ˆé–¢æ•°ã«å…¥ã‚‰ãªã„)実行をã™ã‚‹ |
| ni |
アセンブラã®ã‚¹ãƒ†ãƒƒãƒ—オーãƒãƒ¼ï¼ˆé–¢æ•°ã«å…¥ã‚‰ãªã„)実行をã™ã‚‹ |
| fin(finish) |
関数を抜ã‘ã‚‹ã¾ã§å‡¦ç†ã‚’実行ã™ã‚‹ |
| b 関数å(break) |
指定ã—ãŸé–¢æ•°ã«ãƒ–レークãƒã‚¤ãƒ³ãƒˆã‚’è¨å®šã™ã‚‹ |
| b *アドレス |
指定ã—ãŸã‚¢ãƒ‰ãƒ¬ã‚¹ã«ãƒ–レークãƒã‚¤ãƒ³ãƒˆã‚’è¨å®šã™ã‚‹ |
| tb *アドレス(tbreak) |
指定ã—ãŸã‚¢ãƒ‰ãƒ¬ã‚¹ã«1度ã ã‘有効ãªãƒ–レークãƒã‚¤ãƒ³ãƒˆã‚’è¨å®šã™ã‚‹ |
| i b(info breakpoints) |
ブレークãƒã‚¤ãƒ³ãƒˆã®ä¸€è¦§ã‚’表示ã™ã‚‹ |
| d 削除ã™ã‚‹ãƒ–レークãƒã‚¤ãƒ³ãƒˆç•ªå·ï¼ˆdelete) |
上ã®ãƒ–レークãƒã‚¤ãƒ³ãƒˆã®ä¸€è¦§ã§å‰Šé™¤ã—ãŸã„番å·ã‚’指定ã™ã‚‹ã¨ãƒ–レークãƒã‚¤ãƒ³ãƒˆã‚’削除ã§ãã‚‹ |
| i r(info registers) |
æ•´æ•°ã®ãƒ¬ã‚¸ã‚¹ã‚¿ã‚’å…¨ã¦è¡¨ç¤ºã™ã‚‹ |
| i r $sp |
スタックãƒã‚¤ãƒ³ã‚¿ã®ãƒ¬ã‚¸ã‚¹ã‚¿ã‚’表示ã™ã‚‹ |
| i r $x0 $x1 |
x0 㨠x1 ã®ãƒ¬ã‚¸ã‚¹ã‚¿ã‚’表示ã™ã‚‹ |
| i proc map |
メモリマップを表示ã™ã‚‹ |
| x/b $sp |
SPãŒæŒ‡ã—ã¦ã„るメモリを1ãƒã‚¤ãƒˆè¡¨ç¤ºã™ã‚‹ |
| x/xb $sp |
SPãŒæŒ‡ã—ã¦ã„るメモリã®1ãƒã‚¤ãƒˆã‚’16進数ã§è¡¨ç¤ºã™ã‚‹ |
| x/xw $sp |
SPãŒæŒ‡ã—ã¦ã„るメモリã®1ワード(4byte)を16進数ã§è¡¨ç¤ºã™ã‚‹ |
| x/4xw $sp |
SPãŒæŒ‡ã—ã¦ã„るメモリã®4ワード(4byte×4)を16進数ã§è¡¨ç¤ºã™ã‚‹ |
| x/xg $sp |
SPãŒæŒ‡ã—ã¦ã„るメモリã®8ãƒã‚¤ãƒˆã‚’16進数ã§è¡¨ç¤ºã™ã‚‹ |
| x/s $sp |
SPãŒæŒ‡ã—ã¦ã„るメモリã®æ–‡å—列を表示ã™ã‚‹ |
| x/10i アドレス |
指定ã—ãŸã‚¢ãƒ‰ãƒ¬ã‚¹ã®ã‚³ãƒ¼ãƒ‰ã‚’表示ã™ã‚‹ |
| set $rax=0x10 |
指定ã®ãƒ¬ã‚¸ã‚¹ã‚¿ã«å€¤ã‚’書ã込む |
以é™ã¯ã€pwndbg ã‚’å°Žå…¥ã—ãŸå ´åˆã«ä½¿ãˆã‚‹ã‚³ãƒžãƒ³ãƒ‰ã§ã™ã€‚
| コマンド |
内容 |
| tele |
メモリをã„ã„æ„Ÿã˜ã«è¡¨ç¤ºã—ã¦ãれるã€ãƒ‡ãƒ•ã‚©ãƒ«ãƒˆã¯ã„ã¤ã‚‚表示ã—ã¦ãã‚Œã¦ã„ã‚‹ [ STACK ] ãŒè¡¨ç¤ºã•ã‚Œã‚‹ |
| tele rsp 20 |
スタック(rsp)を先é ã¨ã—ã¦20個分ã®å†…容をã„ã„æ„Ÿã˜ã«è¡¨ç¤ºã—ã¦ãれる |
| nearpc |
逆アセンブラを表示ã™ã‚‹ã€ãƒ‡ãƒ•ã‚©ãƒ«ãƒˆã¯ã„ã¤ã‚‚表示ã—ã¦ãã‚Œã¦ã„る逆アセンブラ |
| nearpc 20 |
逆アセンブラを20行分表示ã™ã‚‹ |
| elfheader |
セクションã®ã‚¢ãƒ‰ãƒ¬ã‚¹è¡¨ç¤º |
| got |
GOTé ˜åŸŸã®è¡¨ç¤º |
| vmmap |
メモリマップã®è¡¨ç¤º |
| retaddr |
リターンアドレスã®è¡¨ç¤º |
| heap |
ãƒ’ãƒ¼ãƒ—é ˜åŸŸã®ãƒãƒ£ãƒ³ã‚¯ãŒè¡¨ç¤ºã•ã‚Œã‚‹ |
| arena |
arenaã®æƒ…å ±ã®è¡¨ç¤º |
| bins |
binsã®æƒ…å ±ã®è¡¨ç¤º |
| fastbins |
fastbinsã®æƒ…å ±ã®è¡¨ç¤º |
| tcachebins |
tcachebinsã®æƒ…å ±ã®è¡¨ç¤º |
| unsortedbin |
unsortedbinã®æƒ…å ±ã®è¡¨ç¤º |
| largebins |
largebinsã®æƒ…å ±ã®è¡¨ç¤º |
| smallbins |
smallbinsã®æƒ…å ±ã®è¡¨ç¤º |
ãƒã‚¤ãƒŠãƒªã‚’扱ã†ã‚³ãƒžãƒ³ãƒ‰ã®ã¾ã¨ã‚
よã使ã†ãƒã‚¤ãƒŠãƒªã‚’扱ã†ã‚³ãƒžãƒ³ãƒ‰ã‚’列挙ã—ã¾ã™ã€‚
objdump ã«ã‚ˆã‚‹é€†ã‚¢ã‚»ãƒ³ãƒ–ラã®å‡ºåŠ›ã¯ã€ä½•ã‚‚指定ã—ãªã„å ´åˆã¯ã€AT&T記法ã¨å‘¼ã°ã‚Œã‚‹ãƒ•ã‚©ãƒ¼ãƒžãƒƒãƒˆã¨ãªã‚Šã¾ã™ã€‚ã“ã‚Œã¯ã€GDBã€Ghidra ã§è¦‹ã‹ã‘ã‚‹ Intel記法ã¨ã¯ã€ã‚½ãƒ¼ã‚¹ã¨ãƒ‡ã‚¹ãƒ†ã‚£ãƒãƒ¼ã‚·ãƒ§ãƒ³ãŒå…¥ã‚Œæ›¿ã‚ã‚‹ãŸã‚ã€å…¨ãç•°ãªã‚Šã¾ã™ã€‚常ã«ã€-M intel を指定ã™ã‚‹ã®ãŒãŠã™ã™ã‚ã§ã™ã€‚
| コマンド |
内容 |
| file a.out |
a.outã®ãƒ•ã‚¡ã‚¤ãƒ«ã®æ¦‚è¦ã‚’表示ã™ã‚‹ |
| strings a.out |
a.outã«å«ã¾ã‚Œã‚‹æ–‡å—列ã®ãƒ•ã‚¡ã‚¤ãƒ«ã®æ¦‚è¦ã‚’表示ã™ã‚‹ï¼ˆãƒ‡ãƒ•ã‚©ãƒ«ãƒˆï¼šå¯èªéƒ¨åˆ†ãŒ4æ–‡å—以上連続) |
| strip a.out |
a.outã«å«ã¾ã‚Œã‚‹ã‚·ãƒ³ãƒœãƒ«æƒ…å ±ã‚’ä¸€éƒ¨ã‚’æ®‹ã—ã¦å‰Šé™¤ã™ã‚‹ |
| objdump -M intel -d a.out > a.s |
逆アセンブラを出力ã™ã‚‹ |
| objdump -M intel -d -j .plt a.out |
特定ã®ã‚»ã‚¯ã‚·ãƒ§ãƒ³ã®é€†ã‚¢ã‚»ãƒ³ãƒ–ラを出力ã™ã‚‹ |
| readelf -h a.out |
ELFヘッダを出力ã™ã‚‹ |
| readelf -l a.out |
プãƒã‚°ãƒ©ãƒ ヘッダを出力ã™ã‚‹ |
| readelf -S a.out |
セクションヘッダを出力ã™ã‚‹ |
| readelf -s a.out |
シンボルテーブルを出力ã™ã‚‹ |
| readelf -r a.out |
リãƒã‚±ãƒ¼ã‚·ãƒ§ãƒ³æƒ…å ±ã‚’å‡ºåŠ›ã™ã‚‹ |
| checksec --file=a.out |
ã‚»ã‚ュリティ機構を出力ã™ã‚‹ |
x86-64ã®å‘½ä»¤ã¾ã¨ã‚
よã使ㆠx86-64 ã®å‘½ä»¤ã‚’ã¾ã¨ã‚ã¦ãŠãã¾ã™ã€‚
| 命令 |
内容 |
| mov dest, src |
src ã‚’ dest ã«ã‚³ãƒ”ーã™ã‚‹ |
| push value |
value をスタックã«ä¿å˜ã€RSP 㯠-8 |
| pop dest |
スタックã®å€¤ã‚’ dest ã«å–å¾—ã€RSP 㯠+8 |
| add dest, src |
dest 㨠src ã‚’åŠ ç®—ã—㦠dest ã«ä¿å˜ |
| sub dest, src |
dest ã‹ã‚‰ src を減算ã—㦠dest ã«ä¿å˜ |
| mul src |
RAX 㨠src ã‚’ä¹—ç®—ã—ã¦ä¸Šä½32bitã‚’ RDX ã«ä¸‹ä½32bitã‚’ RAX ã«ä¿å˜ï¼ˆRDX:RAX) ※8bitåŒå£«ã®ä¹—算㯠AX ã«ä¿å˜ã•ã‚Œã¦ RDX ã¯å½±éŸ¿ã‚’å—ã‘ãªã„ãŒã€ãれ以外㯠RDX ã¯æ›¸ãè¾¼ã¾ã‚Œã‚‹ã“ã¨ã«æ³¨æ„ |
| imul src |
オペランド㌠1ã¤ã®å ´åˆã¯ mul ã®ç¬¦å·ä»˜ç‰ˆã§ã€ã‚ªãƒšãƒ©ãƒ³ãƒ‰ãŒ2ã¤ã€3ã¤ã®å ´åˆã¯çµæžœãŒ RAX ã«ä¿å˜ã•ã‚Œã€RDX ã¯å½±éŸ¿ã‚’å—ã‘ãªã„ |
| div src |
上ä½32bitã‚’ RDX ã«ä¸‹ä½32bitã‚’ RAX(RDX:RAX)を src ã§é™¤ç®—ã—ã¦å•†ã‚’ RAX ã«ä½™ã‚Š RDX ã«ä¿å˜ |
| xor dest, src |
dest 㨠src を排他的論ç†å’Œã—㦠dest ã«ä¿å˜ |
| call function |
関数呼ã³å‡ºã— |
| ret |
関数ã‹ã‚‰å‘¼ã³å‡ºã—å…ƒã«æˆ»ã‚‹ |
| shl dest, src |
dest ã‚’ src ã ã‘左論ç†ã‚·ãƒ•ãƒˆã—㦠dest ã«ä¿å˜ |
| cmp src1, src2 |
src1 㨠src2 を比較ã—ã¦çµæžœã‚’ EFLAGSレジスタã«ã‚»ãƒƒãƒˆ |
| jmp address |
address ã«ç„¡æ¡ä»¶ã‚¸ãƒ£ãƒ³ãƒ— |
| jz address |
ゼãƒã®å ´åˆï¼ˆZF=1)㯠address ã«ã‚¸ãƒ£ãƒ³ãƒ— |
| jnz address |
ゼãƒã§ãªã„å ´åˆï¼ˆZF=0)㯠address ã«ã‚¸ãƒ£ãƒ³ãƒ— |
| jl address |
å°ã•ã„å ´åˆï¼ˆSF=0)㯠address ã«ã‚¸ãƒ£ãƒ³ãƒ— |
| jle address |
å°ã•ã„ã€ã¾ãŸã¯ã€ç‰ã—ã„å ´åˆã¯ address ã«ã‚¸ãƒ£ãƒ³ãƒ— |
| jg address |
大ãã„å ´åˆã¯ address ã«ã‚¸ãƒ£ãƒ³ãƒ— |
| jge |
大ãã„ã€ã¾ãŸã¯ã€ç‰ã—ã„å ´åˆã¯ address ã«ã‚¸ãƒ£ãƒ³ãƒ— |
ãŠã‚ã‚Šã«
今回ã¯ã€PC Linux ã®ã‚¢ã‚»ãƒ³ãƒ–ラをç†è§£ã—ã¦ã¿ã¾ã—ãŸã€‚x86-64 ã®ã‚¢ã‚»ãƒ³ãƒ–ラã¯ä»Šå›žåˆã‚ã¦ã§ã—ãŸãŒã€ARM ã¨ãã“ã¾ã§é•ã†ã¨ã„ã†ã‚ã‘ã§ã¯ãªã‹ã£ãŸã®ã§ã€ä½•ã¨ã‹ç°¡å˜ãªã¨ã“ã‚ã¯ç†è§£ã§ããŸã¨æ€ã„ã¾ã™ã€‚
æ–‡å—数㯠4万文å—を超ãˆã¾ã—ãŸã€‚ã ã„ã¶é‡ã„ã§ã™ï¼ˆç¬‘)。
今回ã¯ä»¥ä¸Šã§ã™ã€‚
最後ã«ãªã‚Šã¾ã—ãŸãŒã€ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ã‚°ãƒ«ãƒ¼ãƒ—ã®ãƒ©ãƒ³ã‚ングã«å‚åŠ ä¸ã§ã™ã€‚
気楽ã«ãƒãƒãƒƒã¨ã‚ˆã‚ã—ããŠé¡˜ã„ã„ãŸã—ã¾ã™ðŸ™‡
今回ã¯ä»¥ä¸Šã§ã™ï¼
最後ã¾ã§ãŠèªã¿ã„ãŸã ãã€ã‚ã‚ŠãŒã¨ã†ã”ã–ã„ã¾ã—ãŸã€‚
