Search

2.5 리눅스 바이너리 분석 기초

5.1 file 명령어를 사용해 식별하기

binary@binary-VirtualBox:~/code/chapter5$ file payload payload: ASCII text binary@binary-VirtualBox:~/code/chapter5$ base64 -d payload > decoded_payload binary@binary-VirtualBox:~/code/chapter5$ ls decoded_payload levels.db oracle payload binary@binary-VirtualBox:~/code/chapter5$ file -z decoded_payload decoded_payload: POSIX tar archive (GNU) (gzip compressed data, last modified: Mon Apr 10 19:08:12 2017, from Unix) binary@binary-VirtualBox:~/code/chapter5$ tar zxvf ./decoded_payload ctf 67b8601 binary@binary-VirtualBox:~/code/chapter5$ ls 67b8601 ctf decoded_payload levels.db oracle payload
C
복사

5.2 ldd 명령어를 사용해 의존성 점검하기

binary@binary-VirtualBox:~/code/chapter5$ ./ctf ./ctf: error while loading shared libraries: lib5ae9b7f.so: cannot open shared object file: No such file or directory binary@binary-VirtualBox:~/code/chapter5$ binary@binary-VirtualBox:~/code/chapter5$ ldd ctf linux-vdso.so.1 => (0x00007ffca9564000) lib5ae9b7f.so => not found libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f91ad011000) libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f91acdfb000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f91aca31000) libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f91ac728000) /lib64/ld-linux-x86-64.so.2 (0x00007f91ad393000) binary@binary-VirtualBox:~/code/chapter5$ grep 'ELF' * | more Binary file 67b8601 matches Binary file ctf matches
C
복사

5.3 xxd 명령어를 사용해 파일 내부 내용 확인하기

binary@binary-VirtualBox:~/code/chapter5$ xxd 67b8601 | head -n 15 00000000: 424d 3800 0c00 0000 0000 3600 0000 2800 BM8.......6...(. 00000010: 0000 0002 0000 0002 0000 0100 1800 0000 ................ 00000020: 0000 0200 0c00 c01e 0000 c01e 0000 0000 ................ 00000030: 0000 0000 7f45 4c46 0201 0100 0000 0000 .....ELF........ 00000040: 0000 0000 0300 3e00 0100 0000 7009 0000 ......>.....p... 00000050: 0000 0000 4000 0000 0000 0000 7821 0000 ....@.......x!.. 00000060: 0000 0000 0000 0000 4000 3800 0700 4000 ........@.8...@. 00000070: 1b00 1a00 0100 0000 0500 0000 0000 0000 ................ 00000080: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000090: 0000 0000 f40e 0000 0000 0000 f40e 0000 ................ 000000a0: 0000 0000 0000 2000 0000 0000 0100 0000 ...... ......... 000000b0: 0600 0000 f01d 0000 0000 0000 f01d 2000 .............. . 000000c0: 0000 0000 f01d 2000 0000 0000 6802 0000 ...... .....h... 000000d0: 0000 0000 7002 0000 0000 0000 0000 2000 ....p......... . 000000e0: 0000 0000 0200 0000 0600 0000 081e 0000 ................ binary@binary-VirtualBox:~/code/chapter5$ dd skip=52 count=64 if=67b8601 of=elf_header bs=1 64+0 records in 64+0 records out 64 bytes copied, 0,000324368 s, 197 kB/s binary@binary-VirtualBox:~/code/chapter5$ ls 67b8601 ctf decoded_payload elf_header levels.db oracle payload binary@binary-VirtualBox:~/code/chapter5$ xxd elf_header 00000000: 7f45 4c46 0201 0100 0000 0000 0000 0000 .ELF............ 00000010: 0300 3e00 0100 0000 7009 0000 0000 0000 ..>.....p....... 00000020: 4000 0000 0000 0000 7821 0000 0000 0000 @.......x!...... 00000030: 0000 0000 4000 3800 0700 4000 1b00 1a00 ....@.8...@.....
C
복사

5.4 readelf 명령어를 사용해 elf 파일 형식 추출하기

binary@binary-VirtualBox:~/code/chapter5$ readelf -h elf_header ELF Header: Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 Class: ELF64 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: DYN (Shared object file) Machine: Advanced Micro Devices X86-64 Version: 0x1 Entry point address: 0x970 Start of program headers: 64 (bytes into file) Start of section headers: 8568 (bytes into file) Flags: 0x0 Size of this header: 64 (bytes) Size of program headers: 56 (bytes) Number of program headers: 7 Size of section headers: 64 (bytes) Number of section headers: 27 Section header string table index: 26 readelf: Error: Reading 0x6c0 bytes extends past end of file for section headers readelf: Error: Reading 0x188 bytes extends past end of file for program headers
C
복사

5.5 nm 명령어를 사용해 심벌 정보 분석하기

binary@binary-VirtualBox:~/code/chapter5$ nm lib5ae9b7f.so nm: lib5ae9b7f.so: no symbols binary@binary-VirtualBox:~/code/chapter5$ nm -D lib5ae9b7f.so 0000000000202058 B __bss_start w __cxa_finalize 0000000000202058 D _edata 0000000000202060 B _end 0000000000000d20 T _fini w __gmon_start__ 00000000000008c0 T _init w _ITM_deregisterTMCloneTable w _ITM_registerTMCloneTable w _Jv_RegisterClasses U malloc U memcpy U __stack_chk_fail 0000000000000c60 T _Z11rc4_decryptP11rc4_state_tPhi 0000000000000c70 T _Z11rc4_decryptP11rc4_state_tRNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE 0000000000000b40 T _Z11rc4_encryptP11rc4_state_tPhi 0000000000000bc0 T _Z11rc4_encryptP11rc4_state_tRNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE 0000000000000cb0 T _Z8rc4_initP11rc4_state_tPhi U _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE9_M_createERmm U _ZSt19__throw_logic_errorPKc binary@binary-VirtualBox:~/code/chapter5$ nm -D --demangle lib5ae9b7f.so 0000000000202058 B __bss_start w __cxa_finalize 0000000000202058 D _edata 0000000000202060 B _end 0000000000000d20 T _fini w __gmon_start__ 00000000000008c0 T _init w _ITM_deregisterTMCloneTable w _ITM_registerTMCloneTable w _Jv_RegisterClasses U malloc U memcpy U __stack_chk_fail 0000000000000c60 T rc4_decrypt(rc4_state_t*, unsigned char*, int) 0000000000000c70 T rc4_decrypt(rc4_state_t*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&) 0000000000000b40 T rc4_encrypt(rc4_state_t*, unsigned char*, int) 0000000000000bc0 T rc4_encrypt(rc4_state_t*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&) 0000000000000cb0 T rc4_init(rc4_state_t*, unsigned char*, int) U std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_create(unsigned long&, unsigned long) U std::__throw_logic_error(char const*) binary@binary-VirtualBox:~/code/chapter5$ --- c++filt binary@binary-VirtualBox:~/code/chapter5$ c++filt _Z11rc4_decryptP11rc4_state_tPhi rc4_decrypt(rc4_state_t*, unsigned char*, int) binary@binary-VirtualBox:~/code/chapter5$ binary@binary-VirtualBox:~/code/chapter5$ export LD_LIBRARY_PATH=`pwd` binary@binary-VirtualBox:~/code/chapter5$ ls 67b8601 ctf decoded_payload elf_header levels.db lib5ae9b7f.so oracle payload binary@binary-VirtualBox:~/code/chapter5$ ./ctf binary@binary-VirtualBox:~/code/chapter5$ echo $? 1
C
복사

5.6 strings 명령어를 사용해 단서 찾기

바이너리에 사용된 문자열 정보를 점검할 수 있는 명령어
binary@binary-VirtualBox:~/code/chapter5$ strings ctf /lib64/ld-linux-x86-64.so.2 lib5ae9b7f.so __gmon_start__ _Jv_RegisterClasses _ITM_deregisterTMCloneTable _ITM_registerTMCloneTable _Z8rc4_initP11rc4_state_tPhi _init _Z11rc4_decryptP11rc4_state_tRNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE _fini libstdc++.so.6 __gxx_personality_v0 _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE6assignEPKc _ZdlPv _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE9_M_assignERKS4_ libgcc_s.so.1 _Unwind_Resume libc.so.6 __printf_chk fopen puts __stack_chk_fail fgets fseek fclose getenv strcmp __libc_start_main _edata __bss_start _end GCC_3.0 CXXABI_1.3 GLIBCXX_3.4.21 GLIBCXX_3.4 GLIBC_2.4 GLIBC_2.3.4 GLIBC_2.2.5 D$ H D$PH |$@H D$PH9 |$ H D$0H9 |$`H t$`H |$`H D$pH9 T$ H L$ 1 T$@H p I9 |$@H D$PH9 |$ H D$0H9 |$`H T$pH AWAVA AUATL []A\A]A^A_ DEBUG: argv[1] = %s checking '%s' show_me_the_flag >CMb -v@P^: flag = %s guess again! It's kinda like Louisiana. Or Dagobah. Dagobah - Where Yoda lives! ;*3$" zPLR GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609 .shstrtab .interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt.got .text .fini .rodata .eh_frame_hdr .eh_frame .gcc_except_table .init_array .fini_array .jcr .dynamic .got.plt .data .bss .comment
C
복사

5.7 strace와 ltrace 명령어를 사용해 시스템콜 및 라이브러리 호출 추적하기

binary@binary-VirtualBox:~/code/chapter5$ strace ./ctf show_me_the_flag execve("./ctf", ["./ctf", "show_me_the_flag"], [/* 31 vars */]) = 0 brk(NULL) = 0x1d52000 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/home/binary/code/chapter5/tls/x86_64/lib5ae9b7f.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) stat("/home/binary/code/chapter5/tls/x86_64", 0x7ffe2228e840) = -1 ENOENT (No such file or directory) open("/home/binary/code/chapter5/tls/lib5ae9b7f.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) stat("/home/binary/code/chapter5/tls", 0x7ffe2228e840) = -1 ENOENT (No such file or directory) open("/home/binary/code/chapter5/x86_64/lib5ae9b7f.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) stat("/home/binary/code/chapter5/x86_64", 0x7ffe2228e840) = -1 ENOENT (No such file or directory) open("/home/binary/code/chapter5/lib5ae9b7f.so", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p\t\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0664, st_size=10296, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe5007a0000 mmap(NULL, 2105440, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fe500379000 mprotect(0x7fe50037a000, 2097152, PROT_NONE) = 0 mmap(0x7fe50057a000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x7fe50057a000 close(3) = 0 open("/home/binary/code/chapter5/libstdc++.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=98537, ...}) = 0 mmap(NULL, 98537, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fe500787000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/usr/lib/x86_64-linux-gnu/libstdc++.so.6", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 \235\10\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=1566440, ...}) = 0 mmap(NULL, 3675136, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fe4ffff7000 mprotect(0x7fe500169000, 2097152, PROT_NONE) = 0 mmap(0x7fe500369000, 49152, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x172000) = 0x7fe500369000 mmap(0x7fe500375000, 13312, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fe500375000 close(3) = 0 open("/home/binary/code/chapter5/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p*\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=89696, ...}) = 0 mmap(NULL, 2185488, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fe4ffde1000 mprotect(0x7fe4ffdf7000, 2093056, PROT_NONE) = 0 mmap(0x7fe4ffff6000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15000) = 0x7fe4ffff6000 close(3) = 0 open("/home/binary/code/chapter5/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\t\2\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=1868984, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe500786000 mmap(NULL, 3971488, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fe4ffa17000 mprotect(0x7fe4ffbd7000, 2097152, PROT_NONE) = 0 mmap(0x7fe4ffdd7000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c0000) = 0x7fe4ffdd7000 mmap(0x7fe4ffddd000, 14752, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fe4ffddd000 close(3) = 0 open("/home/binary/code/chapter5/libm.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libm.so.6", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0V\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=1088952, ...}) = 0 mmap(NULL, 3178744, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fe4ff70e000 mprotect(0x7fe4ff816000, 2093056, PROT_NONE) = 0 mmap(0x7fe4ffa15000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x107000) = 0x7fe4ffa15000 close(3) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe500785000 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe500783000 arch_prctl(ARCH_SET_FS, 0x7fe500783740) = 0 mprotect(0x7fe4ffdd7000, 16384, PROT_READ) = 0 mprotect(0x7fe4ffa15000, 4096, PROT_READ) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe500782000 mprotect(0x7fe500369000, 40960, PROT_READ) = 0 mprotect(0x7fe50057a000, 4096, PROT_READ) = 0 mprotect(0x601000, 4096, PROT_READ) = 0 mprotect(0x7fe5007a1000, 4096, PROT_READ) = 0 munmap(0x7fe500787000, 98537) = 0 brk(NULL) = 0x1d52000 brk(0x1d84000) = 0x1d84000 fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0 write(1, "checking 'show_me_the_flag'\n", 28checking 'show_me_the_flag' ) = 28 write(1, "ok\n", 3ok ) = 3 exit_group(1) = ? +++ exited with 1 +++ binary@binary-VirtualBox:~/code/chapter5$ ltrace ./ctf show_me_the_flag __libc_start_main(0x400bc0, 2, 0x7fffbecbace8, 0x4010c0 <unfinished ...> __printf_chk(1, 0x401158, 0x7fffbecbb6e0, 160checking 'show_me_the_flag' ) = 28 strcmp("show_me_the_flag", "show_me_the_flag") = 0 puts("ok"ok ) = 3 _Z8rc4_initP11rc4_state_tPhi(0x7fffbecbaab0, 0x4011c0, 66, -1) = 0 _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE6assignEPKc(0x7fffbecba9f0, 0x40117b, 58, 3) = 0x7fffbecba9f0 _Z11rc4_decryptP11rc4_state_tRNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE(0x7fffbecbaa50, 0x7fffbecbaab0, 0x7fffbecba9f0, 0x7e889f91) = 0x7fffbecbaa50 _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE9_M_assignERKS4_(0x7fffbecba9f0, 0x7fffbecbaa50, 0x7fffbecbaa60, 0) = 0 getenv("GUESSME") = nil +++ exited (status 1) +++ binary@binary-VirtualBox:~/code/chapter5$ ltrace -i -C ./ctf show_me_the_flag [0x400fe9] __libc_start_main(0x400bc0, 2, 0x7ffe340a27d8, 0x4010c0 <unfinished ...> [0x400c44] __printf_chk(1, 0x401158, 0x7ffe340a46e0, 160checking 'show_me_the_flag' ) = 28 [0x400c51] strcmp("show_me_the_flag", "show_me_the_flag") = 0 [0x400cf0] puts("ok"ok ) = 3 [0x400d07] rc4_init(rc4_state_t*, unsigned char*, int)(0x7ffe340a25a0, 0x4011c0, 66, -1) = 0 [0x400d14] std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::assign(char const*)(0x7ffe340a24e0, 0x40117b, 58, 3) = 0x7ffe340a24e0 [0x400d29] rc4_decrypt(rc4_state_t*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&)(0x7ffe340a2540, 0x7ffe340a25a0, 0x7ffe340a24e0, 0x7e889f91) = 0x7ffe340a2540 [0x400d36] std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_assign(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)(0x7ffe340a24e0, 0x7ffe340a2540, 0x7ffe340a2550, 0) = 0 [0x400d53] getenv("GUESSME") = nil [0xffffffffffffffff] +++ exited (status 1) +++ binary@binary-VirtualBox:~/code/chapter5$ GUESSME=`foobar` ./ctf show_me_the_flag foobar: command not found checking 'show_me_the_flag' ok guess again! binary@binary-VirtualBox:~/code/chapter5$ GUESSME=`foobar` ltrace -i -C ./ctf show_me_the_flag foobar: command not found [0x400fe9] __libc_start_main(0x400bc0, 2, 0x7ffc47c27638, 0x4010c0 <unfinished ...> [0x400c44] __printf_chk(1, 0x401158, 0x7ffc47c296d7, 160checking 'show_me_the_flag' ) = 28 [0x400c51] strcmp("show_me_the_flag", "show_me_the_flag") = 0 [0x400cf0] puts("ok"ok ) = 3 [0x400d07] rc4_init(rc4_state_t*, unsigned char*, int)(0x7ffc47c27400, 0x4011c0, 66, -1) = 0 [0x400d14] std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::assign(char const*)(0x7ffc47c27340, 0x40117b, 58, 3) = 0x7ffc47c27340 [0x400d29] rc4_decrypt(rc4_state_t*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&)(0x7ffc47c273a0, 0x7ffc47c27400, 0x7ffc47c27340, 0x7e889f91) = 0x7ffc47c273a0 [0x400d36] std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_assign(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)(0x7ffc47c27340, 0x7ffc47c273a0, 0x7ffc47c273b0, 0) = 0 [0x400d53] getenv("GUESSME") = "" [0x400d6e] std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::assign(char const*)(0x7ffc47c27360, 0x401183, 5, 18) = 0x7ffc47c27360 [0x400d88] rc4_decrypt(rc4_state_t*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&)(0x7ffc47c273c0, 0x7ffc47c27400, 0x7ffc47c27360, 0x401183) = 0x7ffc47c273c0 [0x400d9a] std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_assign(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)(0x7ffc47c27360, 0x7ffc47c273c0, 0x1fb30a0, 0) = 0 [0x400db4] operator delete(void*)(0x1fb30a0, 0x1fb30a0, 21, 0) = 0 [0x400dd7] puts("guess again!"guess again! ) = 13 [0x400c8d] operator delete(void*)(0x1fb3050, 0x1fb2c20, 0x7fdfbb20b780, -1) = 0 [0xffffffffffffffff] +++ exited (status 1) +++
C
복사

5.8 objdump 명령어를 사용해 기계어 수준 동작 확인하기

binary@binary-VirtualBox:~/code/chapter5$ objdump -s --section .rodata ctf ctf: file format elf64-x86-64 Contents of section .rodata: 401140 01000200 44454255 473a2061 7267765b ....DEBUG: argv[ 401150 315d203d 20257300 63686563 6b696e67 1] = %s.checking 401160 20272573 270a0073 686f775f 6d655f74 '%s'..show_me_t 401170 68655f66 6c616700 6f6b004f 89df919f he_flag.ok.O.... 401180 887e009a 5b38babe 27ac0e3e 434d6285 .~..[8..'..>CMb. 401190 55868954 3848a34d 00192d76 40505e3a U..T8H.M..-v@P^: 4011a0 00726200 666c6167 203d2025 730a0067 .rb.flag = %s..g 4011b0 75657373 20616761 696e2100 00000000 uess again!..... 4011c0 49742773 206b696e 6461206c 696b6520 It's kinda like 4011d0 4c6f7569 7369616e 612e204f 72204461 Louisiana. Or Da 4011e0 676f6261 682e2044 61676f62 6168202d gobah. Dagobah - 4011f0 20576865 72652059 6f646120 6c697665 Where Yoda live 401200 73210000 00000000 s!...... binary@binary-VirtualBox:~/code/chapter5$
C
복사
binary@binary-VirtualBox:~/code/chapter5$ objdump -M intel -d ctf ctf: file format elf64-x86-64 Disassembly of section .init: 0000000000400a68 <_init@@Base>: 400a68: 48 83 ec 08 sub rsp,0x8 400a6c: 48 8b 05 85 15 20 00 mov rax,QWORD PTR [rip+0x201585] # 601ff8 <_fini@@Base+0x200ec4> 400a73: 48 85 c0 test rax,rax 400a76: 74 05 je 400a7d <_init@@Base+0x15> 400a78: e8 33 01 00 00 call 400bb0 <_Unwind_Resume@plt+0x10> 400a7d: 48 83 c4 08 add rsp,0x8 400a81: c3 ret Disassembly of section .plt: 0000000000400a90 <_Z11rc4_decryptP11rc4_state_tRNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE@plt-0x10>: 400a90: ff 35 72 15 20 00 push QWORD PTR [rip+0x201572] # 602008 <_fini@@Base+0x200ed4> 400a96: ff 25 74 15 20 00 jmp QWORD PTR [rip+0x201574] # 602010 <_fini@@Base+0x200edc> 400a9c: 0f 1f 40 00 nop DWORD PTR [rax+0x0] 0000000000400aa0 <_Z11rc4_decryptP11rc4_state_tRNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE@plt>: 400aa0: ff 25 72 15 20 00 jmp QWORD PTR [rip+0x201572] # 602018 <_fini@@Base+0x200ee4> 400aa6: 68 00 00 00 00 push 0x0 400aab: e9 e0 ff ff ff jmp 400a90 <_init@@Base+0x28> 0000000000400ab0 <puts@plt>: 400ab0: ff 25 6a 15 20 00 jmp QWORD PTR [rip+0x20156a] # 602020 <_fini@@Base+0x200eec> 400ab6: 68 01 00 00 00 push 0x1 400abb: e9 d0 ff ff ff jmp 400a90 <_init@@Base+0x28> 0000000000400ac0 <fseek@plt>: 400ac0: ff 25 62 15 20 00 jmp QWORD PTR [rip+0x201562] # 602028 <_fini@@Base+0x200ef4> 400ac6: 68 02 00 00 00 push 0x2 400acb: e9 c0 ff ff ff jmp 400a90 <_init@@Base+0x28> 0000000000400ad0 <_ZdlPv@plt>: 400ad0: ff 25 5a 15 20 00 jmp QWORD PTR [rip+0x20155a] # 602030 <_fini@@Base+0x200efc> 400ad6: 68 03 00 00 00 push 0x3 400adb: e9 b0 ff ff ff jmp 400a90 <_init@@Base+0x28> 0000000000400ae0 <__printf_chk@plt>: 400ae0: ff 25 52 15 20 00 jmp QWORD PTR [rip+0x201552] # 602038 <_fini@@Base+0x200f04> 400ae6: 68 04 00 00 00 push 0x4 400aeb: e9 a0 ff ff ff jmp 400a90 <_init@@Base+0x28> 0000000000400af0 <fopen@plt>: 400af0: ff 25 4a 15 20 00 jmp QWORD PTR [rip+0x20154a] # 602040 <_fini@@Base+0x200f0c> 400af6: 68 05 00 00 00 push 0x5 400afb: e9 90 ff ff ff jmp 400a90 <_init@@Base+0x28> 0000000000400b00 <__libc_start_main@plt>: 400b00: ff 25 42 15 20 00 jmp QWORD PTR [rip+0x201542] # 602048 <_fini@@Base+0x200f14> 400b06: 68 06 00 00 00 push 0x6 400b0b: e9 80 ff ff ff jmp 400a90 <_init@@Base+0x28> 0000000000400b10 <fgets@plt>: 400b10: ff 25 3a 15 20 00 jmp QWORD PTR [rip+0x20153a] # 602050 <_fini@@Base+0x200f1c> 400b16: 68 07 00 00 00 push 0x7 400b1b: e9 70 ff ff ff jmp 400a90 <_init@@Base+0x28> 0000000000400b20 <_Z8rc4_initP11rc4_state_tPhi@plt>: 400b20: ff 25 32 15 20 00 jmp QWORD PTR [rip+0x201532] # 602058 <_fini@@Base+0x200f24> 400b26: 68 08 00 00 00 push 0x8 400b2b: e9 60 ff ff ff jmp 400a90 <_init@@Base+0x28> 0000000000400b30 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE9_M_assignERKS4_@plt>: 400b30: ff 25 2a 15 20 00 jmp QWORD PTR [rip+0x20152a] # 602060 <_fini@@Base+0x200f2c> 400b36: 68 09 00 00 00 push 0x9 400b3b: e9 50 ff ff ff jmp 400a90 <_init@@Base+0x28> 0000000000400b40 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE6assignEPKc@plt>: 400b40: ff 25 22 15 20 00 jmp QWORD PTR [rip+0x201522] # 602068 <_fini@@Base+0x200f34> 400b46: 68 0a 00 00 00 push 0xa 400b4b: e9 40 ff ff ff jmp 400a90 <_init@@Base+0x28> 0000000000400b50 <getenv@plt>: 400b50: ff 25 1a 15 20 00 jmp QWORD PTR [rip+0x20151a] # 602070 <_fini@@Base+0x200f3c> 400b56: 68 0b 00 00 00 push 0xb 400b5b: e9 30 ff ff ff jmp 400a90 <_init@@Base+0x28> 0000000000400b60 <__stack_chk_fail@plt>: 400b60: ff 25 12 15 20 00 jmp QWORD PTR [rip+0x201512] # 602078 <_fini@@Base+0x200f44> 400b66: 68 0c 00 00 00 push 0xc 400b6b: e9 20 ff ff ff jmp 400a90 <_init@@Base+0x28> 0000000000400b70 <strcmp@plt>: 400b70: ff 25 0a 15 20 00 jmp QWORD PTR [rip+0x20150a] # 602080 <_fini@@Base+0x200f4c> 400b76: 68 0d 00 00 00 push 0xd 400b7b: e9 10 ff ff ff jmp 400a90 <_init@@Base+0x28> 0000000000400b80 <fclose@plt>: 400b80: ff 25 02 15 20 00 jmp QWORD PTR [rip+0x201502] # 602088 <_fini@@Base+0x200f54> 400b86: 68 0e 00 00 00 push 0xe 400b8b: e9 00 ff ff ff jmp 400a90 <_init@@Base+0x28> 0000000000400b90 <__gxx_personality_v0@plt>: 400b90: ff 25 fa 14 20 00 jmp QWORD PTR [rip+0x2014fa] # 602090 <_fini@@Base+0x200f5c> 400b96: 68 0f 00 00 00 push 0xf 400b9b: e9 f0 fe ff ff jmp 400a90 <_init@@Base+0x28> 0000000000400ba0 <_Unwind_Resume@plt>: 400ba0: ff 25 f2 14 20 00 jmp QWORD PTR [rip+0x2014f2] # 602098 <_fini@@Base+0x200f64> 400ba6: 68 10 00 00 00 push 0x10 400bab: e9 e0 fe ff ff jmp 400a90 <_init@@Base+0x28> Disassembly of section .plt.got: 0000000000400bb0 <.plt.got>: 400bb0: ff 25 42 14 20 00 jmp QWORD PTR [rip+0x201442] # 601ff8 <_fini@@Base+0x200ec4> 400bb6: 66 90 xchg ax,ax Disassembly of section .text: 0000000000400bc0 <.text>: 400bc0: 55 push rbp 400bc1: 53 push rbx 400bc2: 48 81 ec 08 02 00 00 sub rsp,0x208 400bc9: 64 48 8b 04 25 28 00 mov rax,QWORD PTR fs:0x28 400bd0: 00 00 400bd2: 48 89 84 24 f8 01 00 mov QWORD PTR [rsp+0x1f8],rax 400bd9: 00 400bda: 31 c0 xor eax,eax 400bdc: 48 8d 44 24 10 lea rax,[rsp+0x10] 400be1: 83 ff 01 cmp edi,0x1 400be4: 48 c7 44 24 08 00 00 mov QWORD PTR [rsp+0x8],0x0 400beb: 00 00 400bed: c6 44 24 10 00 mov BYTE PTR [rsp+0x10],0x0 400bf2: 48 c7 44 24 28 00 00 mov QWORD PTR [rsp+0x28],0x0 400bf9: 00 00 400bfb: 48 89 04 24 mov QWORD PTR [rsp],rax 400bff: 48 8d 44 24 30 lea rax,[rsp+0x30] 400c04: c6 44 24 30 00 mov BYTE PTR [rsp+0x30],0x0 400c09: 48 c7 44 24 48 00 00 mov QWORD PTR [rsp+0x48],0x0 400c10: 00 00 400c12: c6 44 24 50 00 mov BYTE PTR [rsp+0x50],0x0 400c17: 48 89 44 24 20 mov QWORD PTR [rsp+0x20],rax 400c1c: 48 8d 44 24 50 lea rax,[rsp+0x50] 400c21: 48 89 44 24 40 mov QWORD PTR [rsp+0x40],rax 400c26: 0f 8e 97 00 00 00 jle 400cc3 <_Unwind_Resume@plt+0x123> 400c2c: 48 8b 5e 08 mov rbx,QWORD PTR [rsi+0x8] 400c30: bf 01 00 00 00 mov edi,0x1 400c35: be 58 11 40 00 mov esi,0x401158 400c3a: 31 c0 xor eax,eax 400c3c: 48 89 da mov rdx,rbx 400c3f: e8 9c fe ff ff call 400ae0 <__printf_chk@plt> 400c44: be 67 11 40 00 mov esi,0x401167 400c49: 48 89 df mov rdi,rbx 400c4c: e8 1f ff ff ff call 400b70 <strcmp@plt> 400c51: 85 c0 test eax,eax 400c53: 0f 84 8d 00 00 00 je 400ce6 <_Unwind_Resume@plt+0x146> 400c59: 0f 1f 80 00 00 00 00 nop DWORD PTR [rax+0x0] 400c60: bb 01 00 00 00 mov ebx,0x1 400c65: 48 8b 7c 24 40 mov rdi,QWORD PTR [rsp+0x40] 400c6a: 48 8d 44 24 50 lea rax,[rsp+0x50] 400c6f: 48 39 c7 cmp rdi,rax 400c72: 74 05 je 400c79 <_Unwind_Resume@plt+0xd9> 400c74: e8 57 fe ff ff call 400ad0 <_ZdlPv@plt> 400c79: 48 8b 7c 24 20 mov rdi,QWORD PTR [rsp+0x20] 400c7e: 48 8d 44 24 30 lea rax,[rsp+0x30] 400c83: 48 39 c7 cmp rdi,rax 400c86: 74 05 je 400c8d <_Unwind_Resume@plt+0xed> 400c88: e8 43 fe ff ff call 400ad0 <_ZdlPv@plt> 400c8d: 48 8b 3c 24 mov rdi,QWORD PTR [rsp] 400c91: 48 8d 44 24 10 lea rax,[rsp+0x10] 400c96: 48 39 c7 cmp rdi,rax 400c99: 74 05 je 400ca0 <_Unwind_Resume@plt+0x100> 400c9b: e8 30 fe ff ff call 400ad0 <_ZdlPv@plt> 400ca0: 48 8b 8c 24 f8 01 00 mov rcx,QWORD PTR [rsp+0x1f8] 400ca7: 00 400ca8: 64 48 33 0c 25 28 00 xor rcx,QWORD PTR fs:0x28 400caf: 00 00 400cb1: 89 d8 mov eax,ebx 400cb3: 0f 85 67 02 00 00 jne 400f20 <_Unwind_Resume@plt+0x380> 400cb9: 48 81 c4 08 02 00 00 add rsp,0x208 400cc0: 5b pop rbx 400cc1: 5d pop rbp 400cc2: c3 ret 400cc3: 83 3d ea 13 20 00 00 cmp DWORD PTR [rip+0x2013ea],0x0 # 6020b4 <_edata@@Base+0x4> 400cca: 74 94 je 400c60 <_Unwind_Resume@plt+0xc0> 400ccc: 48 8b 56 08 mov rdx,QWORD PTR [rsi+0x8] 400cd0: bf 01 00 00 00 mov edi,0x1 400cd5: be 44 11 40 00 mov esi,0x401144 400cda: 31 c0 xor eax,eax 400cdc: e8 ff fd ff ff call 400ae0 <__printf_chk@plt> 400ce1: e9 7a ff ff ff jmp 400c60 <_Unwind_Resume@plt+0xc0> 400ce6: bf 78 11 40 00 mov edi,0x401178 400ceb: e8 c0 fd ff ff call 400ab0 <puts@plt> 400cf0: 48 8d bc 24 c0 00 00 lea rdi,[rsp+0xc0] 400cf7: 00 400cf8: ba 42 00 00 00 mov edx,0x42 400cfd: be c0 11 40 00 mov esi,0x4011c0 400d02: e8 19 fe ff ff call 400b20 <_Z8rc4_initP11rc4_state_tPhi@plt> 400d07: be 7b 11 40 00 mov esi,0x40117b 400d0c: 48 89 e7 mov rdi,rsp 400d0f: e8 2c fe ff ff call 400b40 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE6assignEPKc@plt> 400d14: 48 8d b4 24 c0 00 00 lea rsi,[rsp+0xc0] 400d1b: 00 400d1c: 48 8d 7c 24 60 lea rdi,[rsp+0x60] 400d21: 48 89 e2 mov rdx,rsp 400d24: e8 77 fd ff ff call 400aa0 <_Z11rc4_decryptP11rc4_state_tRNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE@plt> 400d29: 48 8d 74 24 60 lea rsi,[rsp+0x60] 400d2e: 48 89 e7 mov rdi,rsp 400d31: e8 fa fd ff ff call 400b30 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE9_M_assignERKS4_@plt> 400d36: 48 8b 7c 24 60 mov rdi,QWORD PTR [rsp+0x60] 400d3b: 48 8d 44 24 70 lea rax,[rsp+0x70] 400d40: 48 39 c7 cmp rdi,rax 400d43: 74 05 je 400d4a <_Unwind_Resume@plt+0x1aa> 400d45: e8 86 fd ff ff call 400ad0 <_ZdlPv@plt> 400d4a: 48 8b 3c 24 mov rdi,QWORD PTR [rsp] 400d4e: e8 fd fd ff ff call 400b50 <getenv@plt> 400d53: 48 85 c0 test rax,rax 400d56: 48 89 c3 mov rbx,rax 400d59: 0f 84 01 ff ff ff je 400c60 <_Unwind_Resume@plt+0xc0> 400d5f: 48 8d 7c 24 20 lea rdi,[rsp+0x20] 400d64: be 83 11 40 00 mov esi,0x401183 400d69: e8 d2 fd ff ff call 400b40 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE6assignEPKc@plt> 400d6e: 48 8d 54 24 20 lea rdx,[rsp+0x20] 400d73: 48 8d b4 24 c0 00 00 lea rsi,[rsp+0xc0] 400d7a: 00 400d7b: 48 8d bc 24 80 00 00 lea rdi,[rsp+0x80] 400d82: 00 400d83: e8 18 fd ff ff call 400aa0 <_Z11rc4_decryptP11rc4_state_tRNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE@plt> 400d88: 48 8d b4 24 80 00 00 lea rsi,[rsp+0x80] 400d8f: 00 400d90: 48 8d 7c 24 20 lea rdi,[rsp+0x20] 400d95: e8 96 fd ff ff call 400b30 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE9_M_assignERKS4_@plt> 400d9a: 48 8b bc 24 80 00 00 mov rdi,QWORD PTR [rsp+0x80] 400da1: 00 400da2: 48 8d 84 24 90 00 00 lea rax,[rsp+0x90] 400da9: 00 400daa: 48 39 c7 cmp rdi,rax 400dad: 74 05 je 400db4 <_Unwind_Resume@plt+0x214> 400daf: e8 1c fd ff ff call 400ad0 <_ZdlPv@plt> 400db4: 48 8b 4c 24 20 mov rcx,QWORD PTR [rsp+0x20] 400db9: 31 c0 xor eax,eax 400dbb: 0f 1f 44 00 00 nop DWORD PTR [rax+rax*1+0x0] 400dc0: 0f b6 14 03 movzx edx,BYTE PTR [rbx+rax*1] 400dc4: 84 d2 test dl,dl 400dc6: 74 05 je 400dcd <_Unwind_Resume@plt+0x22d> 400dc8: 3a 14 01 cmp dl,BYTE PTR [rcx+rax*1] 400dcb: 74 13 je 400de0 <_Unwind_Resume@plt+0x240> 400dcd: bf af 11 40 00 mov edi,0x4011af 400dd2: e8 d9 fc ff ff call 400ab0 <puts@plt> 400dd7: e9 84 fe ff ff jmp 400c60 <_Unwind_Resume@plt+0xc0> 400ddc: 0f 1f 40 00 nop DWORD PTR [rax+0x0] 400de0: 48 83 c0 01 add rax,0x1 400de4: 48 83 f8 15 cmp rax,0x15 400de8: 75 d6 jne 400dc0 <_Unwind_Resume@plt+0x220> 400dea: 48 8d 7c 24 40 lea rdi,[rsp+0x40] 400def: be 99 11 40 00 mov esi,0x401199 400df4: e8 47 fd ff ff call 400b40 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE6assignEPKc@plt> 400df9: 48 8d 54 24 40 lea rdx,[rsp+0x40] 400dfe: 48 8d b4 24 c0 00 00 lea rsi,[rsp+0xc0] 400e05: 00 400e06: 48 8d bc 24 a0 00 00 lea rdi,[rsp+0xa0] 400e0d: 00 400e0e: e8 8d fc ff ff call 400aa0 <_Z11rc4_decryptP11rc4_state_tRNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE@plt> 400e13: 48 8d b4 24 a0 00 00 lea rsi,[rsp+0xa0] 400e1a: 00 400e1b: 48 8d 7c 24 40 lea rdi,[rsp+0x40] 400e20: e8 0b fd ff ff call 400b30 <_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE9_M_assignERKS4_@plt> 400e25: 48 8b bc 24 a0 00 00 mov rdi,QWORD PTR [rsp+0xa0] 400e2c: 00 400e2d: 48 8d 84 24 b0 00 00 lea rax,[rsp+0xb0] 400e34: 00 400e35: 48 39 c7 cmp rdi,rax 400e38: 74 05 je 400e3f <_Unwind_Resume@plt+0x29f> 400e3a: e8 91 fc ff ff call 400ad0 <_ZdlPv@plt> 400e3f: 48 8b 7c 24 40 mov rdi,QWORD PTR [rsp+0x40] 400e44: be a1 11 40 00 mov esi,0x4011a1 400e49: e8 a2 fc ff ff call 400af0 <fopen@plt> 400e4e: 48 85 c0 test rax,rax 400e51: 48 89 c5 mov rbp,rax 400e54: 0f 84 06 fe ff ff je 400c60 <_Unwind_Resume@plt+0xc0> 400e5a: 31 d2 xor edx,edx 400e5c: be b0 fc 01 00 mov esi,0x1fcb0 400e61: 48 89 c7 mov rdi,rax 400e64: e8 57 fc ff ff call 400ac0 <fseek@plt> 400e69: 85 c0 test eax,eax 400e6b: 89 c3 mov ebx,eax 400e6d: 0f 85 ed fd ff ff jne 400c60 <_Unwind_Resume@plt+0xc0> 400e73: 48 8d bc 24 d0 01 00 lea rdi,[rsp+0x1d0] 400e7a: 00 400e7b: 48 89 ea mov rdx,rbp 400e7e: be 21 00 00 00 mov esi,0x21 400e83: e8 88 fc ff ff call 400b10 <fgets@plt> 400e88: 48 85 c0 test rax,rax 400e8b: 0f 84 cf fd ff ff je 400c60 <_Unwind_Resume@plt+0xc0> 400e91: 48 89 ef mov rdi,rbp 400e94: c6 84 24 f0 01 00 00 mov BYTE PTR [rsp+0x1f0],0x0 400e9b: 00 400e9c: e8 df fc ff ff call 400b80 <fclose@plt> 400ea1: 48 8d 94 24 d0 01 00 lea rdx,[rsp+0x1d0] 400ea8: 00 400ea9: 4c 8d 84 24 c0 01 00 lea r8,[rsp+0x1c0] 400eb0: 00 400eb1: 48 89 d0 mov rax,rdx 400eb4: 48 89 d1 mov rcx,rdx 400eb7: 0f b6 31 movzx esi,BYTE PTR [rcx] 400eba: 0f b6 78 1f movzx edi,BYTE PTR [rax+0x1f] 400ebe: 48 83 e8 01 sub rax,0x1 400ec2: 48 83 c1 01 add rcx,0x1 400ec6: 40 88 79 ff mov BYTE PTR [rcx-0x1],dil 400eca: 40 88 70 20 mov BYTE PTR [rax+0x20],sil 400ece: 49 39 c0 cmp r8,rax 400ed1: 75 e4 jne 400eb7 <_Unwind_Resume@plt+0x317> 400ed3: 48 8d b4 24 f0 01 00 lea rsi,[rsp+0x1f0] 400eda: 00 400edb: eb 0e jmp 400eeb <_Unwind_Resume@plt+0x34b> 400edd: 83 e8 1a sub eax,0x1a 400ee0: 88 02 mov BYTE PTR [rdx],al 400ee2: 48 83 c2 01 add rdx,0x1 400ee6: 48 39 d6 cmp rsi,rdx 400ee9: 74 17 je 400f02 <_Unwind_Resume@plt+0x362> 400eeb: 0f be 02 movsx eax,BYTE PTR [rdx] 400eee: 8d 48 9f lea ecx,[rax-0x61] 400ef1: 80 f9 19 cmp cl,0x19 400ef4: 77 ec ja 400ee2 <_Unwind_Resume@plt+0x342> 400ef6: 83 c0 0d add eax,0xd 400ef9: 83 f8 7a cmp eax,0x7a 400efc: 7f df jg 400edd <_Unwind_Resume@plt+0x33d> 400efe: 88 02 mov BYTE PTR [rdx],al 400f00: eb e0 jmp 400ee2 <_Unwind_Resume@plt+0x342> 400f02: 48 8d 94 24 d0 01 00 lea rdx,[rsp+0x1d0] 400f09: 00 400f0a: be a4 11 40 00 mov esi,0x4011a4 400f0f: bf 01 00 00 00 mov edi,0x1 400f14: 31 c0 xor eax,eax 400f16: e8 c5 fb ff ff call 400ae0 <__printf_chk@plt> 400f1b: e9 45 fd ff ff jmp 400c65 <_Unwind_Resume@plt+0xc5> 400f20: e8 3b fc ff ff call 400b60 <__stack_chk_fail@plt> 400f25: 48 8b bc 24 a0 00 00 mov rdi,QWORD PTR [rsp+0xa0] 400f2c: 00 400f2d: 48 8d 94 24 b0 00 00 lea rdx,[rsp+0xb0] 400f34: 00 400f35: 48 89 c3 mov rbx,rax 400f38: 48 39 d7 cmp rdi,rdx 400f3b: 74 05 je 400f42 <_Unwind_Resume@plt+0x3a2> 400f3d: e8 8e fb ff ff call 400ad0 <_ZdlPv@plt> 400f42: 48 8b 7c 24 40 mov rdi,QWORD PTR [rsp+0x40] 400f47: 48 8d 44 24 50 lea rax,[rsp+0x50] 400f4c: 48 39 c7 cmp rdi,rax 400f4f: 74 05 je 400f56 <_Unwind_Resume@plt+0x3b6> 400f51: e8 7a fb ff ff call 400ad0 <_ZdlPv@plt> 400f56: 48 8b 7c 24 20 mov rdi,QWORD PTR [rsp+0x20] 400f5b: 48 8d 44 24 30 lea rax,[rsp+0x30] 400f60: 48 39 c7 cmp rdi,rax 400f63: 74 05 je 400f6a <_Unwind_Resume@plt+0x3ca> 400f65: e8 66 fb ff ff call 400ad0 <_ZdlPv@plt> 400f6a: 48 8b 3c 24 mov rdi,QWORD PTR [rsp] 400f6e: 48 8d 44 24 10 lea rax,[rsp+0x10] 400f73: 48 39 c7 cmp rdi,rax 400f76: 74 05 je 400f7d <_Unwind_Resume@plt+0x3dd> 400f78: e8 53 fb ff ff call 400ad0 <_ZdlPv@plt> 400f7d: 48 89 df mov rdi,rbx 400f80: e8 1b fc ff ff call 400ba0 <_Unwind_Resume@plt> 400f85: 48 89 c3 mov rbx,rax 400f88: eb b8 jmp 400f42 <_Unwind_Resume@plt+0x3a2> 400f8a: 48 8b bc 24 80 00 00 mov rdi,QWORD PTR [rsp+0x80] 400f91: 00 400f92: 48 8d 94 24 90 00 00 lea rdx,[rsp+0x90] 400f99: 00 400f9a: 48 89 c3 mov rbx,rax 400f9d: 48 39 d7 cmp rdi,rdx 400fa0: 75 9b jne 400f3d <_Unwind_Resume@plt+0x39d> 400fa2: eb 9e jmp 400f42 <_Unwind_Resume@plt+0x3a2> 400fa4: 48 8b 7c 24 60 mov rdi,QWORD PTR [rsp+0x60] 400fa9: 48 8d 54 24 70 lea rdx,[rsp+0x70] 400fae: 48 89 c3 mov rbx,rax 400fb1: 48 39 d7 cmp rdi,rdx 400fb4: 75 87 jne 400f3d <_Unwind_Resume@plt+0x39d> 400fb6: eb 8a jmp 400f42 <_Unwind_Resume@plt+0x3a2> 400fb8: 0f 1f 84 00 00 00 00 nop DWORD PTR [rax+rax*1+0x0] 400fbf: 00 400fc0: 31 ed xor ebp,ebp 400fc2: 49 89 d1 mov r9,rdx 400fc5: 5e pop rsi 400fc6: 48 89 e2 mov rdx,rsp 400fc9: 48 83 e4 f0 and rsp,0xfffffffffffffff0 400fcd: 50 push rax 400fce: 54 push rsp 400fcf: 49 c7 c0 30 11 40 00 mov r8,0x401130 400fd6: 48 c7 c1 c0 10 40 00 mov rcx,0x4010c0 400fdd: 48 c7 c7 c0 0b 40 00 mov rdi,0x400bc0 400fe4: e8 17 fb ff ff call 400b00 <__libc_start_main@plt> 400fe9: f4 hlt 400fea: 66 0f 1f 44 00 00 nop WORD PTR [rax+rax*1+0x0] 400ff0: b8 b7 20 60 00 mov eax,0x6020b7 400ff5: 55 push rbp 400ff6: 48 2d b0 20 60 00 sub rax,0x6020b0 400ffc: 48 83 f8 0e cmp rax,0xe 401000: 48 89 e5 mov rbp,rsp 401003: 76 1b jbe 401020 <_Unwind_Resume@plt+0x480> 401005: b8 00 00 00 00 mov eax,0x0 40100a: 48 85 c0 test rax,rax 40100d: 74 11 je 401020 <_Unwind_Resume@plt+0x480> 40100f: 5d pop rbp 401010: bf b0 20 60 00 mov edi,0x6020b0 401015: ff e0 jmp rax 401017: 66 0f 1f 84 00 00 00 nop WORD PTR [rax+rax*1+0x0] 40101e: 00 00 401020: 5d pop rbp 401021: c3 ret 401022: 0f 1f 40 00 nop DWORD PTR [rax+0x0] 401026: 66 2e 0f 1f 84 00 00 nop WORD PTR cs:[rax+rax*1+0x0] 40102d: 00 00 00 401030: be b0 20 60 00 mov esi,0x6020b0 401035: 55 push rbp 401036: 48 81 ee b0 20 60 00 sub rsi,0x6020b0 40103d: 48 c1 fe 03 sar rsi,0x3 401041: 48 89 e5 mov rbp,rsp 401044: 48 89 f0 mov rax,rsi 401047: 48 c1 e8 3f shr rax,0x3f 40104b: 48 01 c6 add rsi,rax 40104e: 48 d1 fe sar rsi,1 401051: 74 15 je 401068 <_Unwind_Resume@plt+0x4c8> 401053: b8 00 00 00 00 mov eax,0x0 401058: 48 85 c0 test rax,rax 40105b: 74 0b je 401068 <_Unwind_Resume@plt+0x4c8> 40105d: 5d pop rbp 40105e: bf b0 20 60 00 mov edi,0x6020b0 401063: ff e0 jmp rax 401065: 0f 1f 00 nop DWORD PTR [rax] 401068: 5d pop rbp 401069: c3 ret 40106a: 66 0f 1f 44 00 00 nop WORD PTR [rax+rax*1+0x0] 401070: 80 3d 39 10 20 00 00 cmp BYTE PTR [rip+0x201039],0x0 # 6020b0 <_edata@@Base> 401077: 75 11 jne 40108a <_Unwind_Resume@plt+0x4ea> 401079: 55 push rbp 40107a: 48 89 e5 mov rbp,rsp 40107d: e8 6e ff ff ff call 400ff0 <_Unwind_Resume@plt+0x450> 401082: 5d pop rbp 401083: c6 05 26 10 20 00 01 mov BYTE PTR [rip+0x201026],0x1 # 6020b0 <_edata@@Base> 40108a: f3 c3 repz ret 40108c: 0f 1f 40 00 nop DWORD PTR [rax+0x0] 401090: bf f0 1d 60 00 mov edi,0x601df0 401095: 48 83 3f 00 cmp QWORD PTR [rdi],0x0 401099: 75 05 jne 4010a0 <_Unwind_Resume@plt+0x500> 40109b: eb 93 jmp 401030 <_Unwind_Resume@plt+0x490> 40109d: 0f 1f 00 nop DWORD PTR [rax] 4010a0: b8 00 00 00 00 mov eax,0x0 4010a5: 48 85 c0 test rax,rax 4010a8: 74 f1 je 40109b <_Unwind_Resume@plt+0x4fb> 4010aa: 55 push rbp 4010ab: 48 89 e5 mov rbp,rsp 4010ae: ff d0 call rax 4010b0: 5d pop rbp 4010b1: e9 7a ff ff ff jmp 401030 <_Unwind_Resume@plt+0x490> 4010b6: 66 2e 0f 1f 84 00 00 nop WORD PTR cs:[rax+rax*1+0x0] 4010bd: 00 00 00 4010c0: 41 57 push r15 4010c2: 41 56 push r14 4010c4: 41 89 ff mov r15d,edi 4010c7: 41 55 push r13 4010c9: 41 54 push r12 4010cb: 4c 8d 25 0e 0d 20 00 lea r12,[rip+0x200d0e] # 601de0 <_fini@@Base+0x200cac> 4010d2: 55 push rbp 4010d3: 48 8d 2d 0e 0d 20 00 lea rbp,[rip+0x200d0e] # 601de8 <_fini@@Base+0x200cb4> 4010da: 53 push rbx 4010db: 49 89 f6 mov r14,rsi 4010de: 49 89 d5 mov r13,rdx 4010e1: 4c 29 e5 sub rbp,r12 4010e4: 48 83 ec 08 sub rsp,0x8 4010e8: 48 c1 fd 03 sar rbp,0x3 4010ec: e8 77 f9 ff ff call 400a68 <_init@@Base> 4010f1: 48 85 ed test rbp,rbp 4010f4: 74 20 je 401116 <_Unwind_Resume@plt+0x576> 4010f6: 31 db xor ebx,ebx 4010f8: 0f 1f 84 00 00 00 00 nop DWORD PTR [rax+rax*1+0x0] 4010ff: 00 401100: 4c 89 ea mov rdx,r13 401103: 4c 89 f6 mov rsi,r14 401106: 44 89 ff mov edi,r15d 401109: 41 ff 14 dc call QWORD PTR [r12+rbx*8] 40110d: 48 83 c3 01 add rbx,0x1 401111: 48 39 eb cmp rbx,rbp 401114: 75 ea jne 401100 <_Unwind_Resume@plt+0x560> 401116: 48 83 c4 08 add rsp,0x8 40111a: 5b pop rbx 40111b: 5d pop rbp 40111c: 41 5c pop r12 40111e: 41 5d pop r13 401120: 41 5e pop r14 401122: 41 5f pop r15 401124: c3 ret 401125: 90 nop 401126: 66 2e 0f 1f 84 00 00 nop WORD PTR cs:[rax+rax*1+0x0] 40112d: 00 00 00 401130: f3 c3 repz ret Disassembly of section .fini: 0000000000401134 <_fini@@Base>: 401134: 48 83 ec 08 sub rsp,0x8 401138: 48 83 c4 08 add rsp,0x8 40113c: c3 ret binary@binary-VirtualBox:~/code/chapter5$
C
복사

5.9 gdb 명령어를 사용해 동적으로 문자열 버퍼 덤프하기

(gdb) b *0x400dc8 Breakpoint 1 at 0x400dc8 (gdb) set env GUESSME=foobar (gdb) run show_me_the_flag Starting program: /home/binary/code/chapter5/ctf show_me_the_flag checking 'show_me_the_flag' ok (gdb) display/i $pc 1: x/i $pc => 0x400dc8: cmp (%rcx,%rax,1),%dl (gdb) info registers rcx rcx 0x615050 6377552 (gdb) x/s 0x615050 0x615050: "Crackers Don't Matter" (gdb) binary@binary-VirtualBox:~/code/chapter5$ ls 67b8601 ctf decoded_payload elf_header levels.db lib5ae9b7f.so oracle payload binary@binary-VirtualBox:~/code/chapter5$ GUESSME="Crackers Don't Matter" ./ctf show_me_the_flag checking 'show_me_the_flag' ok flag = 84b34c124b2ba5ca224af8e33b077e9e
C
복사