0x00 objdump命令是Linux下的反汇编目标文件或者可执行文件的命令
0x01 objdump -f 显示test的文件头信息
$ objdump -f level
level:
file format elf32-i386
architecture: i386, flags 0x00000112:
EXEC_P, HAS_SYMS, D_PAGED
start address 0x08048350
0x02 objdump -d 反汇编test中的需要执行指令的那些section
$ objdump -d level
level2:
file format elf32-i386
Disassembly of section .init: 080482d4 <_init>:
80482d4: 53 push %ebx
80482d5: 83 ec 08 sub $0x8,%esp
80482d8: e8 a3 00 00 00 call 8048380 <__x86.get_pc_thunk.bx>
80482dd: 81 c3 23 1d 00 00 add $0x1d23,%ebx
80482e3: 8b 83 fc ff ff ff mov -0x4(%ebx),%eax
80482e9: 85 c0 test %eax,%eax
80482eb: 74 05 je 80482f2 <_init+0x1e>
80482ed: e8 3e 00 00 00 call 8048330 <__gmon_start__@plt>
80482f2: 83 c4 08 add $0x8,%esp
80482f5: 5b pop %ebx
80482f6: c3 ret Disassembly of section .plt: 08048300 <read@plt-0x10>:
8048300: ff 35 04 a0 04 08 pushl 0x804a004
8048306: ff 25 08 a0 04 08 jmp *0x804a008
804830c: 00 00 add %al,(%eax)
... 08048310 <read@plt>:
8048310: ff 25 0c a0 04 08 jmp *0x804a00c
8048316: 68 00 00 00 00 push $0x0
804831b: e9 e0 ff ff ff jmp 8048300 <_init+0x2c> 08048320 <system@plt>:
8048320: ff 25 10 a0 04 08 jmp *0x804a010
8048326: 68 08 00 00 00 push $0x8
804832b: e9 d0 ff ff ff jmp 8048300 <_init+0x2c> 08048330 <__gmon_start__@plt>:
8048330: ff 25 14 a0 04 08 jmp *0x804a014
8048336: 68 10 00 00 00 push $0x10
804833b: e9 c0 ff ff ff jmp 8048300 <_init+0x2c> 08048340 <__libc_start_main@plt>:
8048340: ff 25 18 a0 04 08 jmp *0x804a018
8048346: 68 18 00 00 00 push $0x18
804834b: e9 b0 ff ff ff jmp 8048300 <_init+0x2c> Disassembly of section .text: 08048350 <_start>:
8048350: 31 ed xor %ebp,%ebp
8048352: 5e pop %esi
8048353: 89 e1 mov %esp,%ecx
8048355: 83 e4 f0 and $0xfffffff0,%esp
8048358: 50 push %eax
8048359: 54 push %esp
804835a: 52 push %edx
804835b: 68 20 85 04 08 push $0x8048520
8048360: 68 c0 84 04 08 push $0x80484c0
8048365: 51 push %ecx
8048366: 56 push %esi
8048367: 68 80 84 04 08 push $0x8048480
804836c: e8 cf ff ff ff call 8048340 <__libc_start_main@plt>
8048371: f4 hlt
8048372: 66 90 xchg %ax,%ax
8048374: 66 90 xchg %ax,%ax
8048376: 66 90 xchg %ax,%ax
8048378: 66 90 xchg %ax,%ax
804837a: 66 90 xchg %ax,%ax
804837c: 66 90 xchg %ax,%ax
804837e: 66 90 xchg %ax,%ax 08048380 <__x86.get_pc_thunk.bx>:
8048380: 8b 1c 24 mov (%esp),%ebx
8048383: c3 ret
8048384: 66 90 xchg %ax,%ax
8048386: 66 90 xchg %ax,%ax
8048388: 66 90 xchg %ax,%ax
804838a: 66 90 xchg %ax,%ax
804838c: 66 90 xchg %ax,%ax
804838e: 66 90 xchg %ax,%ax 08048390 <deregister_tm_clones>:
8048390: b8 2f a0 04 08 mov $0x804a02f,%eax
8048395: 2d 2c a0 04 08 sub $0x804a02c,%eax
804839a: 83 f8 06 cmp $0x6,%eax
804839d: 76 1a jbe 80483b9 <deregister_tm_clones+0x29>
804839f: b8 00 00 00 00 mov $0x0,%eax
80483a4: 85 c0 test %eax,%eax
80483a6: 74 11 je 80483b9 <deregister_tm_clones+0x29>
80483a8: 55 push %ebp
80483a9: 89 e5 mov %esp,%ebp
80483ab: 83 ec 14 sub $0x14,%esp
80483ae: 68 2c a0 04 08 push $0x804a02c
80483b3: ff d0 call *%eax
80483b5: 83 c4 10 add $0x10,%esp
80483b8: c9 leave
80483b9: f3 c3 repz ret
80483bb: 90 nop
80483bc: 8d 74 26 00 lea 0x0(%esi,%eiz,1),%esi 080483c0 <register_tm_clones>:
80483c0: b8 2c a0 04 08 mov $0x804a02c,%eax
80483c5: 2d 2c a0 04 08 sub $0x804a02c,%eax
80483ca: c1 f8 02 sar $0x2,%eax
80483cd: 89 c2 mov %eax,%edx
80483cf: c1 ea 1f shr $0x1f,%edx
80483d2: 01 d0 add %edx,%eax
80483d4: d1 f8 sar %eax
80483d6: 74 1b je 80483f3 <register_tm_clones+0x33>
80483d8: ba 00 00 00 00 mov $0x0,%edx
80483dd: 85 d2 test %edx,%edx
80483df: 74 12 je 80483f3 <register_tm_clones+0x33>
80483e1: 55 push %ebp
80483e2: 89 e5 mov %esp,%ebp
80483e4: 83 ec 10 sub $0x10,%esp
80483e7: 50 push %eax
80483e8: 68 2c a0 04 08 push $0x804a02c
80483ed: ff d2 call *%edx
80483ef: 83 c4 10 add $0x10,%esp
80483f2: c9 leave
80483f3: f3 c3 repz ret
80483f5: 8d 74 26 00 lea 0x0(%esi,%eiz,1),%esi
80483f9: 8d bc 27 00 00 00 00 lea 0x0(%edi,%eiz,1),%edi 08048400 <__do_global_dtors_aux>:
8048400: 80 3d 2c a0 04 08 00 cmpb $0x0,0x804a02c
8048407: 75 13 jne 804841c <__do_global_dtors_aux+0x1c>
8048409: 55 push %ebp
804840a: 89 e5 mov %esp,%ebp
804840c: 83 ec 08 sub $0x8,%esp
804840f: e8 7c ff ff ff call 8048390 <deregister_tm_clones>
8048414: c6 05 2c a0 04 08 01 movb $0x1,0x804a02c
804841b: c9 leave
804841c: f3 c3 repz ret
804841e: 66 90 xchg %ax,%ax 08048420 <frame_dummy>:
8048420: b8 10 9f 04 08 mov $0x8049f10,%eax
8048425: 8b 10 mov (%eax),%edx
8048427: 85 d2 test %edx,%edx
8048429: 75 05 jne 8048430 <frame_dummy+0x10>
804842b: eb 93 jmp 80483c0 <register_tm_clones>
804842d: 8d 76 00 lea 0x0(%esi),%esi
8048430: ba 00 00 00 00 mov $0x0,%edx
8048435: 85 d2 test %edx,%edx
8048437: 74 f2 je 804842b <frame_dummy+0xb>
8048439: 55 push %ebp
804843a: 89 e5 mov %esp,%ebp
804843c: 83 ec 14 sub $0x14,%esp
804843f: 50 push %eax
8048440: ff d2 call *%edx
8048442: 83 c4 10 add $0x10,%esp
8048445: c9 leave
8048446: e9 75 ff ff ff jmp 80483c0 <register_tm_clones> 0804844b <vulnerable_function>:
804844b: 55 push %ebp
804844c: 89 e5 mov %esp,%ebp
804844e: 81 ec 88 00 00 00 sub $0x88,%esp
8048454: 83 ec 0c sub $0xc,%esp
8048457: 68 40 85 04 08 push $0x8048540
804845c: e8 bf fe ff ff call 8048320 <system@plt>
8048461: 83 c4 10 add $0x10,%esp
8048464: 83 ec 04 sub $0x4,%esp
8048467: 68 00 01 00 00 push $0x100
804846c: 8d 85 78 ff ff ff lea -0x88(%ebp),%eax
8048472: 50 push %eax
8048473: 6a 00 push $0x0
8048475: e8 96 fe ff ff call 8048310 <read@plt>
804847a: 83 c4 10 add $0x10,%esp
804847d: 90 nop
804847e: c9 leave
804847f: c3 ret 08048480 <main>:
8048480: 8d 4c 24 04 lea 0x4(%esp),%ecx
8048484: 83 e4 f0 and $0xfffffff0,%esp
8048487: ff 71 fc pushl -0x4(%ecx)
804848a: 55 push %ebp
804848b: 89 e5 mov %esp,%ebp
804848d: 51 push %ecx
804848e: 83 ec 04 sub $0x4,%esp
8048491: e8 b5 ff ff ff call 804844b <vulnerable_function>
8048496: 83 ec 0c sub $0xc,%esp
8048499: 68 4c 85 04 08 push $0x804854c
804849e: e8 7d fe ff ff call 8048320 <system@plt>
80484a3: 83 c4 10 add $0x10,%esp
80484a6: b8 00 00 00 00 mov $0x0,%eax
80484ab: 8b 4d fc mov -0x4(%ebp),%ecx
80484ae: c9 leave
80484af: 8d 61 fc lea -0x4(%ecx),%esp
80484b2: c3 ret
80484b3: 66 90 xchg %ax,%ax
80484b5: 66 90 xchg %ax,%ax
80484b7: 66 90 xchg %ax,%ax
80484b9: 66 90 xchg %ax,%ax
80484bb: 66 90 xchg %ax,%ax
80484bd: 66 90 xchg %ax,%ax
80484bf: 90 nop 080484c0 <__libc_csu_init>:
80484c0: 55 push %ebp
80484c1: 57 push %edi
80484c2: 31 ff xor %edi,%edi
80484c4: 56 push %esi
80484c5: 53 push %ebx
80484c6: e8 b5 fe ff ff call 8048380 <__x86.get_pc_thunk.bx>
80484cb: 81 c3 35 1b 00 00 add $0x1b35,%ebx
80484d1: 83 ec 0c sub $0xc,%esp
80484d4: 8b 6c 24 20 mov 0x20(%esp),%ebp
80484d8: 8d b3 0c ff ff ff lea -0xf4(%ebx),%esi
80484de: e8 f1 fd ff ff call 80482d4 <_init>
80484e3: 8d 83 08 ff ff ff lea -0xf8(%ebx),%eax
80484e9: 29 c6 sub %eax,%esi
80484eb: c1 fe 02 sar $0x2,%esi
80484ee: 85 f6 test %esi,%esi
80484f0: 74 23 je 8048515 <__libc_csu_init+0x55>
80484f2: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
80484f8: 83 ec 04 sub $0x4,%esp
80484fb: ff 74 24 2c pushl 0x2c(%esp)
80484ff: ff 74 24 2c pushl 0x2c(%esp)
8048503: 55 push %ebp
8048504: ff 94 bb 08 ff ff ff call *-0xf8(%ebx,%edi,4)
804850b: 83 c7 01 add $0x1,%edi
804850e: 83 c4 10 add $0x10,%esp
8048511: 39 f7 cmp %esi,%edi
8048513: 75 e3 jne 80484f8 <__libc_csu_init+0x38>
8048515: 83 c4 0c add $0xc,%esp
8048518: 5b pop %ebx
8048519: 5e pop %esi
804851a: 5f pop %edi
804851b: 5d pop %ebp
804851c: c3 ret
804851d: 8d 76 00 lea 0x0(%esi),%esi 08048520 <__libc_csu_fini>:
8048520: f3 c3 repz ret Disassembly of section .fini: 08048524 <_fini>:
8048524: 53 push %ebx
8048525: 83 ec 08 sub $0x8,%esp
8048528: e8 53 fe ff ff call 8048380 <__x86.get_pc_thunk.bx>
804852d: 81 c3 d3 1a 00 00 add $0x1ad3,%ebx
8048533: 83 c4 08 add $0x8,%esp
8048536: 5b pop %ebx
8048537: c3 ret
0x03 objdump -D 与-d类似,但反汇编test中的所有section
0x04 objdump -h 显示test的Section Header信息
$ objdump -h level
Sections:
Idx Name Size VMA LMA File off Algn
0 .interp 00000013 08048154 08048154 00000154 2**0
CONTENTS, ALLOC, LOAD, READONLY, DATA
1 .note.ABI-tag 00000020 08048168 08048168 00000168 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
2 .note.gnu.build-id 00000024 08048188 08048188 00000188 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
3 .gnu.hash 00000020 080481ac 080481ac 000001ac 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
4 .dynsym 00000060 080481cc 080481cc 000001cc 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
5 .dynstr 00000051 0804822c 0804822c 0000022c 2**0
CONTENTS, ALLOC, LOAD, READONLY, DATA
6 .gnu.version 0000000c 0804827e 0804827e 0000027e 2**1
CONTENTS, ALLOC, LOAD, READONLY, DATA
7 .gnu.version_r 00000020 0804828c 0804828c 0000028c 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
8 .rel.dyn 00000008 080482ac 080482ac 000002ac 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
9 .rel.plt 00000020 080482b4 080482b4 000002b4 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
10 .init 00000023 080482d4 080482d4 000002d4 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
11 .plt 00000050 08048300 08048300 00000300 2**4
CONTENTS, ALLOC, LOAD, READONLY, CODE
12 .text 000001d2 08048350 08048350 00000350 2**4
CONTENTS, ALLOC, LOAD, READONLY, CODE
13 .fini 00000014 08048524 08048524 00000524 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
14 .rodata 00000028 08048538 08048538 00000538 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
15 .eh_frame_hdr 00000034 08048560 08048560 00000560 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
16 .eh_frame 000000ec 08048594 08048594 00000594 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
17 .init_array 00000004 08049f08 08049f08 00000f08 2**2
CONTENTS, ALLOC, LOAD, DATA
18 .fini_array 00000004 08049f0c 08049f0c 00000f0c 2**2
CONTENTS, ALLOC, LOAD, DATA
19 .jcr 00000004 08049f10 08049f10 00000f10 2**2
CONTENTS, ALLOC, LOAD, DATA
20 .dynamic 000000e8 08049f14 08049f14 00000f14 2**2
CONTENTS, ALLOC, LOAD, DATA
21 .got 00000004 08049ffc 08049ffc 00000ffc 2**2
CONTENTS, ALLOC, LOAD, DATA
22 .got.plt 0000001c 0804a000 0804a000 00001000 2**2
CONTENTS, ALLOC, LOAD, DATA
23 .data 00000010 0804a01c 0804a01c 0000101c 2**2
CONTENTS, ALLOC, LOAD, DATA
24 .bss 00000004 0804a02c 0804a02c 0000102c 2**0
ALLOC
25 .comment 00000052 00000000 00000000 0000102c 2**0
CONTENTS, READONLY
0x05 objdump -x 显示test的全部Header信息
0x06 objdump -s 除了显示test的全部Header信息,还显示他们对应的十六进制文件代
0x07 CTF PWN中主要用到 -d 寻找gadgets进行rop,-h 确定.bss段位置
.