Assembly 如何为二进制炸弹缓冲此阶段
这就是阶段:Assembly 如何为二进制炸弹缓冲此阶段,assembly,x86,reverse-engineering,buffer-overflow,Assembly,X86,Reverse Engineering,Buffer Overflow,这就是阶段: 0x00000000004013d9 <+0>: sub $0x2c8,%rsp #reserve 0x2c8 in stack 0x00000000004013e0 <+7>: mov %rdi,%rsi #rsi = rdi 0x00000000004013e3 <+10>: movw $0x6cb,0x42(%rsp)
0x00000000004013d9 <+0>: sub $0x2c8,%rsp #reserve 0x2c8 in stack
0x00000000004013e0 <+7>: mov %rdi,%rsi #rsi = rdi
0x00000000004013e3 <+10>: movw $0x6cb,0x42(%rsp) #stack pointer + 0x42 = 0x6cb
0x00000000004013ea <+17>: movw $0xcc26,0x50(%rsp) # "
0x00000000004013f1 <+24>: movw $0x8a1,0x44(%rsp) # "
0x00000000004013f8 <+31>: movb $0x7,0x40(%rsp) # "
0x00000000004013fd <+36>: movl $0x12fad68e,0x3c(%rsp) # "
0x0000000000401405 <+44>: movq $0x0,0x48(%rsp) #same as above with corresponding values
0x000000000040140e <+53>: lea 0x30(%rsp),%rdi #rdi = value at 0x30 in stack
0x0000000000401413 <+58>: callq 0x400ca0 <strcpy@plt> #string copy
0x0000000000401418 <+63>: movzbl 0x40(%rsp),%eax #eax = value at 0x40 in stack
0x000000000040141d <+68>: cmp $0x57,%al #compare lower 8 bits of eax to 0x57
0x000000000040141f <+70>: je 0x401426 <phase_4+77> #continue if same
0x0000000000401421 <+72>: callq 0x401bbe <bomb_ignition>
0x0000000000401426 <+77>: movzwl 0x50(%rsp),%eax #eax = value at 0x50 in stack
0x000000000040142b <+82>: cmp $0xcc26,%ax #compare lower 16 bits of eax to 0xcc26
0x000000000040142f <+86>: je 0x401436 <phase_4+93> #continue if same
0x0000000000401431 <+88>: callq 0x401bbe <bomb_ignition>
0x0000000000401436 <+93>: mov 0x48(%rsp),%rax #rax = value at 0x48 in stack
0x000000000040143b <+98>: test %rax,%rax #rax = rax & rax
0x000000000040143e <+101>: je 0x401445 <phase_4+108> #continue if same
0x0000000000401440 <+103>: callq 0x401bbe <bomb_ignition>
0x0000000000401445 <+108>: movzwl 0x42(%rsp),%eax #eax = value at 0x42 in stack
0x000000000040144a <+113>: cmp $0x425b,%ax #compare lower 16 bits of eax to 0x425b
0x000000000040144e <+117>: je 0x401455 <phase_4+124> #continue if same
0x0000000000401450 <+119>: callq 0x401bbe <bomb_ignition>
0x0000000000401455 <+124>: movzwl 0x44(%rsp),%edx #edx = value at 0x44 in stack
0x000000000040145a <+129>: mov 0x3c(%rsp),%eax #eax = value at 0x3c in stack
0x000000000040145e <+133>: shl $0x5,%eax #eax *= 32
0x0000000000401461 <+136>: movswl %dx,%edx #edx = lower 16 bits of rdx
0x0000000000401464 <+139>: xor %edx,%eax #eax ^= edx
0x0000000000401466 <+141>: cmp $0x2e8ee3c5,%eax #compare eax a 0x2e8ee3c5
0x000000000040146b <+146>: sete %al
0x000000000040146e <+149>: movzbl %al,%eax
0x0000000000401471 <+152>: add $0x2c8,%rsp
0x0000000000401478 <+159>: retq
0x00000000004013d9:sub$0x2c8,%rsp#堆栈中保留0x2c8
0x00000000004013e0:mov%rdi,%rsi#rsi=rdi
0x00000000004013e3:movw$0x6cb,0x42(%rsp)#堆栈指针+0x42=0x6cb
0x00000000004013ea:movw$0xcc26,0x50(%rsp)#”
0x00000000004013f1:movw$0x8a1,0x44(%rsp)#”
0x00000000004013f8:movb$0x7,0x40(%rsp)#”
0x00000000004013fd:movl$0x12fad68e,0x3c(%rsp)#”
0x0000000000401405:movq$0x0,0x48(%rsp)#与上述相同,并具有相应的值
0x000000000040140e:lea 0x30(%rsp),%rdi#rdi=堆栈中0x30处的值
0x0000000000401413:callq 0x400ca0#字符串副本
0x0000000000401418:movzbl 0x40(%rsp),%eax#eax=堆栈中0x40处的值
0x000000000040141d:cmp$0x57,%al#将eax的低8位与0x57进行比较
0x000000000040141f:je 0x401426#如果相同,则继续
0x0000000000401421:callq 0x401bbe
0x00000000000401426:movzwl 0x50(%rsp),%eax#eax=堆栈中0x50处的值
0x000000000040142b:cmp$0xcc26,%ax#将eax的低16位与0xcc26进行比较
0x000000000040142f:je 0x401436#如果相同,则继续
0x000000000040141:callq 0x401bbe
0x000000000040146:mov 0x48(%rsp),%rax#rax=堆栈中0x48处的值
0x00000000004014B:测试%rax,%rax#rax=rax&rax
0x000000000040143e:je 0x401445#如果相同,则继续
0x0000000000401440:callq 0x401bbe
0x0000000000401445:movzwl 0x42(%rsp),%eax#eax=堆栈中0x42处的值
0x000000000040144a:cmp$0x425b,%ax#将eax的低16位与0x425b进行比较
0x000000000040144e:je 0x401455#如果相同,则继续
0x0000000000401450:callq 0x401bbe
0x0000000000401455:movzwl 0x44(%rsp),%edx#edx=堆栈中0x44处的值
0x000000000040145a:mov 0x3c(%rsp),%eax#eax=堆栈中0x3c处的值
0x0000000000040145E:shl$0x5,%eax#eax*=32
0x0000000000401461:movswl%dx,%edx#edx=rdx的低16位
0x0000000000401464:xor%edx,%eax#eax^=edx
0x00000000000401466:cmp$0x2e8ee3c5,%eax#比较eax和0x2e8ee3c5
0x000000000040146b:集合%al
0x000000000040146e:movzbl%al,%eax
0x0000000000401471:添加$0x2c8,%rsp
0x00000000004014478:retq
我在旁边注释了我认为它在做什么,但我无法理解全局
我的猜测是,它接受输入并将其与放入堆栈的内容进行比较?我不确定strcpy的。我猜它在rax/eax
寄存器中。因为它会将堆栈中的值与该值进行比较。但是我仍然不确定如何确定输入应该是什么。我尝试将它mov
s的一些值放入堆栈,如0x6cb
、0x8a1
和0x7
,放入和十六进制到ascii转换器,但它们生成的值字符不能作为输入,因为有些是表情符号之类的东西。“邪恶博士”给出的提示是“顺其自然,缓冲区溢出”,所以我确信它的缓冲区溢出了
我感谢你的帮助。多谢各位 你可以用一种非常简单的方式:
1-查看strcpy函数(man strcpy
)
2-查看调用约定(在您的情况下,它应该是一个linux 64位文件)
寄存器中的参数为RDI、RSI、RDX、RCX、R8、R9、XMM0–7
然后:
3-启动调试器并在此地址设置断点0x0000000000401413
,然后使用命令ir$RDI$RSI
查看注册表RDI
和RSI
如果您可以控制$rsi
地址处的值,您可以覆盖$rdi
地址处的值“我不确定strcpy及其复制位置。”您应该查看agner的文档。第7节有一个表,显示了各种操作系统的参数所使用的寄存器。还请注意,它检查的一些值已经在堆栈上,有些值需要用不同的值覆盖。
char * strcpy ( char * destination, const char * source );
> strcpy(RDI, RSI)