Presentation is loading. Please wait.

Presentation is loading. Please wait.

ELF binary # readelf -a foo.out ELF Header:

Published byLeslie McDonald Modified over 8 years ago

Similar presentations

Presentation on theme: "ELF binary # readelf -a foo.out ELF Header:"— Presentation transcript:

1

2 ELF binary # readelf -a foo.out ELF Header:
Magic: 7f 45 4c Class: ELF32 Data: 's complement, little endian Version: (current) OS/ABI: UNIX - System V ABI Version: Type: EXEC (Executable file) Machine: Intel 80386 Version: x1 Entry point address: x Start of program headers: (bytes into file) Start of section headers: (bytes into file) Flags: x0 Size of this header: (bytes) Size of program headers: (bytes) Number of program headers: Size of section headers: (bytes) Number of section headers: Section header string table index: 29 Dynamic section at offset 0xbfc contains 28 entries: Tag Type Name/Value 0x (NEEDED) Shared library: [libstdc++.so.6] 0x (NEEDED) Shared library: [libm.so.6] 0x (NEEDED) Shared library: [libgcc_s.so.1] 0x (NEEDED) Shared library: [libc.so.6] Symbol table '.dynsym' contains 18 entries: Num: Value Size Type Bind Vis Ndx Name 0: NOTYPE LOCAL DEFAULT UND 1: FUNC GLOBAL DEFAULT UND (2) 2: FUNC GLOBAL DEFAULT UND (3) 3: NOTYPE WEAK DEFAULT UND __gmon_start__ 4: NOTYPE WEAK DEFAULT UND _Jv_RegisterClasses

3 Print Me echo "set disassembly-flavor intel" > ~/.gdbinit
(gdb) disassemble /rm main Dump of assembler code for function main(int, char**): int main(int argc, char *argv[]) { 0x080483e4 <+0>: push ebp 0x080483e5 <+1>: e5 mov ebp,esp 0x080483e7 <+3>: e4 f and esp,0xfffffff0 0x080483ea <+6>: ec sub esp,0x10 printf(argv[1]); 0x080483ed <+9>: 8b 45 0c mov eax,DWORD PTR [ebp+0xc] 0x080483f0 <+12>: c add eax,0x4 0x080483f3 <+15>: 8b mov eax,DWORD PTR [eax] 0x080483f5 <+17>: mov DWORD PTR [esp],eax 0x080483f8 <+20>: e8 03 ff ff ff call 0x 0x080483fd <+25>: b mov eax,0x0 } 0x <+30>: c leave 0x <+31>: c ret End of assembler dump. Iostream -> cstdio more properly

4 Hello World! - assembly ; from Hacking: The art of Exploitation by Jon Erickson BITS 32 call mark_below ; instructions below db "Hello, world!", 0x0a, 0x0d ; add newline/cr to end mark_below: pop ecx ; pop the return address into ecx ;; this should be the string ptr mov eax, 4 ; write system call #4 (write) mov ebx, 1 ; STDOUT file descriptor mov edx, 15 ; the length of the string int 0x ; do syscall: write(1,string,15) ;; exit properly mov eax, 1 ; syscall #1 (exit) mov ebx, 0 ; status result = 0 int 0x ; do syscall: exit(0)

5 Hello World! - assembly $ ndisasm –b 32 hello
; from Hacking: The art of Exploitation by Jon Erickson BITS 32 call mark_below ; instructions below db "Hello, world!", 0x0a, 0x0d ; add newline mark_below: pop ecx ; pop the return … ecx ;; this should be the string ptr mov eax, 4 ; write system call #4 (write) mov ebx, 1 ; STDOUT file descriptor mov edx, 15 ; the length of the string int 0x80 ; do syscall: write(1,string,15?) ;; exit properly mov eax, 1 ; syscall #1 (exit) mov ebx, 0 ; status result = 0 int 0x80 ; do syscall: exit(0) $ ndisasm –b 32 hello E80F call dword 0x14 dec eax C gs insb C insb F outsd A 2C sub al,0x20 C 776F ja 0x7d E 726C jc 0x7c A and [fs:edx],ecx D59B or eax,0x4b859 add [eax],al A BB mov ebx,0x1 F BA0F mov edx,0xf CD int 0x80 B mov eax,0x1 B BB mov ebx,0x0 CD int 0x80

6 Reversing

7 Frame Setup arithmetic if comparison continue if not <
(gdb) disassemble /m main Dump of assembler code for function main(): 4 int main() { 0x c <+0>: push ebp 0x d <+1>: mov ebp,esp 0x f <+3>: sub esp,0x10 5 int count; 6 7 y=y+3; 0x <+6>: mov eax,ds:0x 0x <+11>: add eax,0x3 0x a <+14>: mov ds:0x ,eax 8 x=x+y; 0x f <+19>: mov edx,DWORD PTR ds:0x 0x080484a5 <+25>: mov eax,ds:0x 0x080484aa <+30>: add eax,edx 0x080484ac <+32>: mov ds:0x ,eax 9 if (x<y) 0x080484b1 <+37>: mov edx,DWORD PTR ds:0x 0x080484b7 <+43>: mov eax,ds:0x 0x080484bc <+48>: cmp edx,eax 0x080484be <+50>: jge 0x80484ca <main()+62> 10 x=1; 0x080484c0 <+52>: mov DWORD PTR ds:0x ,0x1 Frame Setup arithmetic if comparison continue if not <

8 global variable - memory
loops local variable - stack 11 12 for (count=1; count<10; count++) 0x080484ca <+62>: mov DWORD PTR [ebp-0x4],0x1 0x080484d1 <+69>: jmp 0x80484e4 <main()+88> 0x080484e0 <+84>: add DWORD PTR [ebp-0x4],0x1 0x080484e4 <+88>: cmp DWORD PTR [ebp-0x4],0x9 0x080484e8 <+92>: setle al 0x080484eb <+95>: test al,al 0x080484ed <+97>: jne 0x80484d3 <main()+71> 13 x++; 0x080484d3 <+71>: mov eax,ds:0x 0x080484d8 <+76>: add eax,0x1 0x080484db <+79>: mov ds:0x ,eax 14 } 0x080484ef <+99>: mov eax,0x0 0x080484f4 <+104>: leave // count=1 // count++ // compare count to 9 // al=1 if count<=9 // al & al (set flags) global variable - memory

Download ppt "ELF binary # readelf -a foo.out ELF Header:"

Similar presentations

Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
The art of exploitation

The art of exploitation
1 IKI10230 Pengantar Organisasi Komputer Kuliah no. 09: Compiling-Assembling-Linking Sumber: 1. Paul Carter, PC Assembly Language 2. Hamacher. Computer.

1 IKI10230 Pengantar Organisasi Komputer Kuliah no. 09: Compiling-Assembling-Linking Sumber: 1. Paul Carter, PC Assembly Language 2. Hamacher. Computer.
Introduction to X86 assembly by Istvan Haller

Introduction to X86 assembly by Istvan Haller
Assembly Language for Intel-Based Computers Chapter 5: Procedures Kip R. Irvine.

Assembly Language for Intel-Based Computers Chapter 5: Procedures Kip R. Irvine.
Practical Session 3. The Stack The stack is an area in memory that its purpose is to provide a space for temporary storage of addresses and data items.

Practical Session 3. The Stack The stack is an area in memory that its purpose is to provide a space for temporary storage of addresses and data items.
Practical Session 3. The Stack The stack is an area in memory that its purpose is to provide a space for temporary storage of addresses and data items.

Practical Session 3. The Stack The stack is an area in memory that its purpose is to provide a space for temporary storage of addresses and data items.
1 Homework Reading –PAL, pp 201-216, 297-312 Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.

1 Homework Reading –PAL, pp , Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.
Position Independent Code self sufficiency of combining program.

Position Independent Code self sufficiency of combining program.
Practical Session 8 Computer Architecture and Assembly Language.

Practical Session 8 Computer Architecture and Assembly Language.
C Prog. To Object Code text text binary binary Code in files p1.c p2.c

C Prog. To Object Code text text binary binary Code in files p1.c p2.c
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.

Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.
Recitation 2: Assembly & gdb Andrew Faulring 15213 Section A 16 September 2002.

Recitation 2: Assembly & gdb Andrew Faulring Section A 16 September 2002.
CEG 320/520: Computer Organization and Assembly Language ProgrammingIntel Assembly 1 Intel IA-32 vs Motorola 68000.

CEG 320/520: Computer Organization and Assembly Language ProgrammingIntel Assembly 1 Intel IA-32 vs Motorola
Hello ASM World: A Painless and Contextual Introduction to x86 Assembly rogueclown DerbyCon 3.0 September 28, 2013.

Hello ASM World: A Painless and Contextual Introduction to x86 Assembly rogueclown DerbyCon 3.0 September 28, 2013.
Buffer Overflows : An In-depth Analysis. Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer.

Buffer Overflows : An In-depth Analysis. Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer.
Practical Session 4. Labels Definition - advanced label: (pseudo) instruction operands ; comment valid characters in labels are: letters, numbers, _,

Practical Session 4. Labels Definition - advanced label: (pseudo) instruction operands ; comment valid characters in labels are: letters, numbers, _,
Lecture-1 Compilation process

Lecture-1 Compilation process
1 #include void silly(){ char s[30]; gets(s); printf(%s\n,s); } main(){ silly(); return 0; }

1 #include void silly(){ char s[30]; gets(s); printf("%s\n",s); } main(){ silly(); return 0; }
15-213 Recitation 6 – 2/26/01 Outline Linking Exam Review –Topics Covered –Your Questions Shaheen Gandhi Office Hours: Wednesday.

Recitation 6 – 2/26/01 Outline Linking Exam Review –Topics Covered –Your Questions Shaheen Gandhi Office Hours: Wednesday.

Similar presentations

Ads by Google