Warning: file_get_contents(/data/phpspider/zhask/data//catemap/0/assembly/6.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Assembly 如何为二进制炸弹缓冲此阶段_Assembly_X86_Reverse Engineering_Buffer Overflow - Fatal编程技术网
Fatal编程技术网
  • assembly/
  • Assembly 如何为二进制炸弹缓冲此阶段

Assembly 如何为二进制炸弹缓冲此阶段

assembly x86

Assembly 如何为二进制炸弹缓冲此阶段,assembly,x86,reverse-engineering,buffer-overflow,Assembly,X86,Reverse Engineering,Buffer Overflow,这就是阶段: 0x00000000004013d9 <+0>: sub $0x2c8,%rsp #reserve 0x2c8 in stack 0x00000000004013e0 <+7>: mov %rdi,%rsi #rsi = rdi 0x00000000004013e3 <+10>: movw $0x6cb,0x42(%rsp)

这就是阶段:

0x00000000004013d9 <+0>:     sub    $0x2c8,%rsp                 #reserve 0x2c8 in stack
0x00000000004013e0 <+7>:     mov    %rdi,%rsi                   #rsi =  rdi 
0x00000000004013e3 <+10>:    movw   $0x6cb,0x42(%rsp)           #stack pointer + 0x42 = 0x6cb
0x00000000004013ea <+17>:    movw   $0xcc26,0x50(%rsp)          # "
0x00000000004013f1 <+24>:    movw   $0x8a1,0x44(%rsp)           # "
0x00000000004013f8 <+31>:    movb   $0x7,0x40(%rsp)             # "
0x00000000004013fd <+36>:    movl   $0x12fad68e,0x3c(%rsp)      # "
0x0000000000401405 <+44>:    movq   $0x0,0x48(%rsp)             #same as above with corresponding values
0x000000000040140e <+53>:    lea    0x30(%rsp),%rdi             #rdi = value at 0x30 in stack
0x0000000000401413 <+58>:    callq  0x400ca0 <strcpy@plt>       #string copy
0x0000000000401418 <+63>:    movzbl 0x40(%rsp),%eax             #eax = value at 0x40 in stack
0x000000000040141d <+68>:    cmp    $0x57,%al                   #compare lower 8 bits of eax to 0x57
0x000000000040141f <+70>:    je     0x401426 <phase_4+77>       #continue if same
0x0000000000401421 <+72>:    callq  0x401bbe <bomb_ignition>
0x0000000000401426 <+77>:    movzwl 0x50(%rsp),%eax             #eax = value at 0x50 in stack
0x000000000040142b <+82>:    cmp    $0xcc26,%ax                 #compare lower 16 bits of eax to 0xcc26
0x000000000040142f <+86>:    je     0x401436 <phase_4+93>       #continue if same
0x0000000000401431 <+88>:    callq  0x401bbe <bomb_ignition>
0x0000000000401436 <+93>:    mov    0x48(%rsp),%rax             #rax = value at 0x48 in stack
0x000000000040143b <+98>:    test   %rax,%rax                   #rax = rax & rax
0x000000000040143e <+101>:   je     0x401445 <phase_4+108>      #continue if same
0x0000000000401440 <+103>:   callq  0x401bbe <bomb_ignition> 
0x0000000000401445 <+108>:   movzwl 0x42(%rsp),%eax             #eax = value at 0x42 in stack
0x000000000040144a <+113>:   cmp    $0x425b,%ax                 #compare lower 16 bits of eax to 0x425b
0x000000000040144e <+117>:   je     0x401455 <phase_4+124>      #continue if same
0x0000000000401450 <+119>:   callq  0x401bbe <bomb_ignition>
0x0000000000401455 <+124>:   movzwl 0x44(%rsp),%edx             #edx = value at 0x44 in stack
0x000000000040145a <+129>:   mov    0x3c(%rsp),%eax             #eax = value at 0x3c in stack
0x000000000040145e <+133>:   shl    $0x5,%eax                   #eax *= 32 
0x0000000000401461 <+136>:   movswl %dx,%edx                    #edx = lower 16 bits of rdx
0x0000000000401464 <+139>:   xor    %edx,%eax                   #eax ^= edx
0x0000000000401466 <+141>:   cmp    $0x2e8ee3c5,%eax            #compare eax a 0x2e8ee3c5
0x000000000040146b <+146>:   sete   %al
0x000000000040146e <+149>:   movzbl %al,%eax
0x0000000000401471 <+152>:   add    $0x2c8,%rsp                     
0x0000000000401478 <+159>:   retq 

0x00000000004013d9:sub$0x2c8,%rsp#堆栈中保留0x2c8
0x00000000004013e0:mov%rdi,%rsi#rsi=rdi
0x00000000004013e3:movw$0x6cb,0x42(%rsp)#堆栈指针+0x42=0x6cb
0x00000000004013ea:movw$0xcc26,0x50(%rsp)#”
0x00000000004013f1:movw$0x8a1,0x44(%rsp)#”
0x00000000004013f8:movb$0x7,0x40(%rsp)#”
0x00000000004013fd:movl$0x12fad68e,0x3c(%rsp)#”
0x0000000000401405:movq$0x0,0x48(%rsp)#与上述相同,并具有相应的值
0x000000000040140e:lea 0x30(%rsp),%rdi#rdi=堆栈中0x30处的值
0x0000000000401413:callq 0x400ca0#字符串副本
0x0000000000401418:movzbl 0x40(%rsp),%eax#eax=堆栈中0x40处的值
0x000000000040141d:cmp$0x57,%al#将eax的低8位与0x57进行比较
0x000000000040141f:je 0x401426#如果相同,则继续
0x0000000000401421:callq 0x401bbe
0x00000000000401426:movzwl 0x50(%rsp),%eax#eax=堆栈中0x50处的值
0x000000000040142b:cmp$0xcc26,%ax#将eax的低16位与0xcc26进行比较
0x000000000040142f:je 0x401436#如果相同,则继续
0x000000000040141:callq 0x401bbe
0x000000000040146:mov 0x48(%rsp),%rax#rax=堆栈中0x48处的值
0x00000000004014B:测试%rax,%rax#rax=rax&rax
0x000000000040143e:je 0x401445#如果相同,则继续
0x0000000000401440:callq 0x401bbe
0x0000000000401445:movzwl 0x42(%rsp),%eax#eax=堆栈中0x42处的值
0x000000000040144a:cmp$0x425b,%ax#将eax的低16位与0x425b进行比较
0x000000000040144e:je 0x401455#如果相同,则继续
0x0000000000401450:callq 0x401bbe
0x0000000000401455:movzwl 0x44(%rsp),%edx#edx=堆栈中0x44处的值
0x000000000040145a:mov 0x3c(%rsp),%eax#eax=堆栈中0x3c处的值
0x0000000000040145E:shl$0x5,%eax#eax*=32
0x0000000000401461:movswl%dx,%edx#edx=rdx的低16位
0x0000000000401464:xor%edx,%eax#eax^=edx
0x00000000000401466:cmp$0x2e8ee3c5,%eax#比较eax和0x2e8ee3c5
0x000000000040146b:集合%al
0x000000000040146e:movzbl%al,%eax
0x0000000000401471:添加$0x2c8,%rsp
0x00000000004014478:retq
我在旁边注释了我认为它在做什么,但我无法理解全局

我的猜测是,它接受输入并将其与放入堆栈的内容进行比较?我不确定strcpy的
。我猜它在
rax/eax
寄存器中。因为它会将堆栈中的值与该值进行比较。但是我仍然不确定如何确定输入应该是什么。我尝试将它
mov
s的一些值放入堆栈,如
0x6cb
0x8a1
0x7
,放入和十六进制到ascii转换器,但它们生成的值字符不能作为输入,因为有些是表情符号之类的东西。“邪恶博士”给出的提示是“顺其自然,缓冲区溢出”,所以我确信它的缓冲区溢出了


我感谢你的帮助。多谢各位
 你可以用一种非常简单的方式:

1-查看strcpy函数(
man strcpy

2-查看调用约定(在您的情况下,它应该是一个linux 64位文件)

寄存器中的参数为RDI、RSI、RDX、RCX、R8、R9、XMM0–7
然后:

3-启动调试器并在此地址设置断点
0x0000000000401413
,然后使用命令i
r$RDI$RSI
查看注册表
RDI
RSI


如果您可以控制
$rsi
地址处的值,您可以覆盖
$rdi
地址处的值
“我不确定strcpy及其复制位置。”您应该查看agner的文档。第7节有一个表,显示了各种操作系统的参数所使用的寄存器。还请注意,它检查的一些值已经在堆栈上,有些值需要用不同的值覆盖。

char * strcpy ( char * destination, const char * source );



> strcpy(RDI, RSI)