⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站
📤 上传资源

📄 1094.html

📁 著名的linux英雄站点的文档打包
💻 HTML
📖 第 1 页 / 共 5 页
字号:
🔍
12345 
(gdb) break *0x804ea96 <br>
Breakpoint 2 at 0x804ea96 <br>
(gdb) c <br>
Continuing. <br>
<br>
Breakpoint 2, 0x804ea96 in _start () <br>
(gdb) info reg eax <br>
eax            0x8083dd0        134757840 <br>
(gdb) x/s 0x8083dd0 <br>
0x8083dd0:       "I007" <br>
<br>
看来 "I007" 放在 0x8083dd0, 这个地址还存放到了 0x806e584 <br>
<br>
(gdb) ni <br>
.... <br>
<br>
到第三次调用fl_get_input完回到0x804eabb时,我们知道了输入的信息存在在哪 <br>
<br>
名称            值              地址 <br>
Name            "I007"          0x8083dd0 <br>
Order number    "B123456789"    0x809e850 <br>
Key             "87654321"      0x809e880 <br>
<br>
以下的一些反汇编代码中会有一些注释, 主要说明是执行到这样地方时一些情况, <br>
也不一步步的ni了.. <br>
(gdb) disass 0x804eabb 0x804ffff <br>
Dump of assembler code from 0x804eabb to 0x804ffff: <br>
0x804eabb &lt;_start+17575&gt;:       movl   %eax,%ebx (eax: 0x809e880-&gt;""87654321") <br>
<br>
0x804eabd &lt;_start+17577&gt;:       movl   %ebp,%edx (ebp: 0x809e850-&gt;"B123456789" <br>
) <br>
0x804eabf &lt;_start+17579&gt;:       movl   %ebp,%eax <br>
0x804eac1 &lt;_start+17581&gt;:       addl   $0x18,%esp <br>
0x804eac4 &lt;_start+17584&gt;:       andl   $0x3,%edx <br>
0x804eac7 &lt;_start+17587&gt;:       je     0x804eadf &lt;_start+17611&gt; -- <br>
0x804eac9 &lt;_start+17589&gt;:       jp     0x804eada &lt;_start+17606&gt;  | <br>
0x804eacb &lt;_start+17591&gt;:       cmpl   $0x2,%edx                 | <br>
0x804eace &lt;_start+17594&gt;:       je     0x804ead5 &lt;_start+17601&gt;  | <br>
0x804ead0 &lt;_start+17596&gt;:       cmpb   %dh,(%eax)                | <br>
0x804ead2 &lt;_start+17598&gt;:       je     0x804eb05 &lt;_start+17649&gt;  | <br>
0x804ead4 &lt;_start+17600&gt;:       incl   %eax                      | <br>
0x804ead5 &lt;_start+17601&gt;:       cmpb   %dh,(%eax)                | <br>
0x804ead7 &lt;_start+17603&gt;:       je     0x804eb05 &lt;_start+17649&gt;  | <br>
0x804ead9 &lt;_start+17605&gt;:       incl   %eax                      | <br>
0x804eada &lt;_start+17606&gt;:       cmpb   %dh,(%eax)                | <br>
0x804eadc &lt;_start+17608&gt;:       je     0x804eb05 &lt;_start+17649&gt;  | <br>
0x804eade &lt;_start+17610&gt;:       incl   %eax                      | <br>
                                                                 | <br>
以下检查Order number长度是否为10:                                | <br>
0x804eadf &lt;_start+17611&gt;:       movl   (%eax),%edx             &lt;- <br>
0x804eae1 &lt;_start+17613&gt;:       testb  %dh,%dl <br>
0x804eae3 &lt;_start+17615&gt;:       jne    0x804eaed &lt;_start+17625&gt; <br>
0x804eae5 &lt;_start+17617&gt;:       testb  %dl,%dl <br>
0x804eae7 &lt;_start+17619&gt;:       je     0x804eb05 &lt;_start+17649&gt; <br>
0x804eae9 &lt;_start+17621&gt;:       testb  %dh,%dh <br>
0x804eaeb &lt;_start+17623&gt;:       je     0x804eb04 &lt;_start+17648&gt; <br>
0x804eaed &lt;_start+17625&gt;:       testl  $0xff0000,%edx <br>
0x804eaf3 &lt;_start+17631&gt;:       je     0x804eb03 &lt;_start+17647&gt; <br>
0x804eaf5 &lt;_start+17633&gt;:       addl   $0x4,%eax <br>
0x804eaf8 &lt;_start+17636&gt;:       testl  $0xff000000,%edx <br>
0x804eafe &lt;_start+17642&gt;:       jne    0x804eadf &lt;_start+17611&gt; <br>
0x804eb00 &lt;_start+17644&gt;:       subl   $0x3,%eax <br>
0x804eb03 &lt;_start+17647&gt;:       incl   %eax <br>
0x804eb04 &lt;_start+17648&gt;:       incl   %eax <br>
0x804eb05 &lt;_start+17649&gt;:       subl   %ebp,%eax <br>
0x804eb07 &lt;_start+17651&gt;:       cmpl   $0xa,%eax <br>
0x804eb0a &lt;_start+17654&gt;:       jne    0x804ebe6 &lt;_start+17874&gt; <br>
<br>
以下检查Key的长度是否为8: <br>
0x804eb10 &lt;_start+17660&gt;:       movl   %ebx,%edx <br>
0x804eb12 &lt;_start+17662&gt;:       movl   %ebx,%eax <br>
0x804eb14 &lt;_start+17664&gt;:       andl   $0x3,%edx <br>
0x804eb17 &lt;_start+17667&gt;:       je     0x804eb2f &lt;_start+17691&gt; - <br>
0x804eb19 &lt;_start+17669&gt;:       jp     0x804eb2a &lt;_start+17686&gt;  | <br>
0x804eb1b &lt;_start+17671&gt;:       cmpl   $0x2,%edx                 | <br>
0x804eb1e &lt;_start+17674&gt;:       je     0x804eb25 &lt;_start+17681&gt;  | <br>
0x804eb20 &lt;_start+17676&gt;:       cmpb   %dh,(%eax)                | <br>
0x804eb22 &lt;_start+17678&gt;:       je     0x804eb55 &lt;_start+17729&gt;  | <br>
0x804eb24 &lt;_start+17680&gt;:       incl   %eax                      | <br>
0x804eb25 &lt;_start+17681&gt;:       cmpb   %dh,(%eax)                | <br>
0x804eb27 &lt;_start+17683&gt;:       je     0x804eb55 &lt;_start+17729&gt;  | <br>
0x804eb29 &lt;_start+17685&gt;:       incl   %eax                      | <br>
0x804eb2a &lt;_start+17686&gt;:       cmpb   %dh,(%eax)                | <br>
0x804eb2c &lt;_start+17688&gt;:       je     0x804eb55 &lt;_start+17729&gt;  | <br>
0x804eb2e &lt;_start+17690&gt;:       incl   %eax                      | <br>
0x804eb2f &lt;_start+17691&gt;:       movl   (%eax),%edx             &lt;- <br>
0x804eb31 &lt;_start+17693&gt;:       testb  %dh,%dl <br>
0x804eb33 &lt;_start+17695&gt;:       jne    0x804eb3d &lt;_start+17705&gt; <br>
0x804eb35 &lt;_start+17697&gt;:       testb  %dl,%dl <br>
0x804eb37 &lt;_start+17699&gt;:       je     0x804eb55 &lt;_start+17729&gt; <br>
0x804eb39 &lt;_start+17701&gt;:       testb  %dh,%dh <br>
0x804eb3b &lt;_start+17703&gt;:       je     0x804eb54 &lt;_start+17728&gt; <br>
0x804eb3d &lt;_start+17705&gt;:       testl  $0xff0000,%edx <br>
0x804eb43 &lt;_start+17711&gt;:       je     0x804eb53 &lt;_start+17727&gt; <br>
0x804eb45 &lt;_start+17713&gt;:       addl   $0x4,%eax <br>
0x804eb48 &lt;_start+17716&gt;:       testl  $0xff000000,%edx <br>
0x804eb4e &lt;_start+17722&gt;:       jne    0x804eb2f &lt;_start+17691&gt; <br>
0x804eb50 &lt;_start+17724&gt;:       subl   $0x3,%eax <br>
0x804eb53 &lt;_start+17727&gt;:       incl   %eax <br>
0x804eb53 &lt;_start+17727&gt;:       incl   %eax <br>
0x804eb54 &lt;_start+17728&gt;:       incl   %eax <br>
0x804eb55 &lt;_start+17729&gt;:       subl   %ebx,%eax <br>
0x804eb57 &lt;_start+17731&gt;:       cmpl   $0x8,%eax <br>
0x804eb5a &lt;_start+17734&gt;:       jne    0x804ebe6 &lt;_start+17874&gt; <br>
<br>
检查Order nuber是否为"I000000000": <br>
0x804eb60 &lt;_start+17740&gt;:       movl   %ebp,%esi   (ebp:0x809e850-&gt;"B123456789 <br>
") <br>
0x804eb62 &lt;_start+17742&gt;:       movl   $0x805b9a6,%edi (0x805b9a6-&gt;"I000000000 <br>
")0x804eb67 &lt;_start+17747&gt;:       movl   $0xb,%ecx <br>
0x804eb6c &lt;_start+17752&gt;:       cld <br>
0x804eb6d &lt;_start+17753&gt;:       xorl   %eax,%eax <br>
0x804eb6f &lt;_start+17755&gt;:       repz cmpsb %ds:(%esi),%es:(%edi) <br>
0x804eb71 &lt;_start+17757&gt;:       je     0x804eb77 &lt;_start+17763&gt; <br>
  <br>
<br>
0x804eb73 &lt;_start+17759&gt;:       sbbl   %eax,%eax <br>
0x804eb75 &lt;_start+17761&gt;:       orb    $0x1,%al <br>
0x804eb77 &lt;_start+17763&gt;:       testl  %eax,%eax <br>
0x804eb79 &lt;_start+17765&gt;:       jne    0x804ebd1 &lt;_start+17853&gt; - <br>
...                                                              | <br>
...                                                              | <br>
0x804ebd1 &lt;_start+17853&gt;:       pushl  %eax  (eax:0xffffffff)  &lt;- <br>
0x804ebd2 &lt;_start+17854&gt;:       pushl  $0x806e9ac (0x806e9ac:0x00000000) <br>
0x804ebd7 &lt;_start+17859&gt;:       pushl  %ebx (ebx:0x809e880-&gt;"87654321") <br>
0x804ebd8 &lt;_start+17860&gt;:       pushl  %ebp (ebp:0x809e850-&gt;"B123456789") <br>
0x804ebd9 &lt;_start+17861&gt;:       call   0x8055978 &lt;whereError+11004&gt; <br>
                                ^____这里很可疑 <br>
<br>
0x804ebde &lt;_start+17866&gt;:       movl   %eax,0x806e574 <br>
0x804ebe3 &lt;_start+17871&gt;:       addl   $0x10,%esp <br>
0x804ebe6 &lt;_start+17874&gt;:       movl   0x806e574,%edx <br>
0x804ebec &lt;_start+17880&gt;:       testl  %edx,%edx <br>
0x804ebee &lt;_start+17882&gt;:       je     0x804ec62 &lt;_start+17998&gt; <br>
... <br>
0x804ec62 &lt;_start+17998&gt;:       movl   0x806e9d4,%eax <br>
0x804ec67 &lt;_start+18003&gt;:       pushl  %eax <br>
0x804ec68 &lt;_start+18004&gt;:       movl   (%eax),%edx <br>
0x804ec6a &lt;_start+18006&gt;:       pushl  %edx <br>
0x804ec6b &lt;_start+18007&gt;:       call   0x804a474 &lt;fl_hide_form&gt; <br>
0x804ec70 &lt;_start+18012&gt;:       pushl  $0x1 <br>
0x804ec72 &lt;_start+18014&gt;:       pushl  $0x8059017 <br>
0x804ec77 &lt;_start+18019&gt;:       pushl  $0x805ba6c (0x805ba6c-&gt;"Check <br>
                                       registration information and try  again") <br>
0x804ec7c &lt;_start+18024&gt;:       pushl  $0x805ba99 (0x805ba99-&gt;"Incorrect <br>
                                       registration information!") <br>
0x804ec81 &lt;_start+18029&gt;:       call   0x804a790 &lt;_start+380&gt; (警告框出现) <br>
....... <br>
<br>
到注册信息不对的警告框出现,只有一个函数调用比较可疑: <br>
0x804ebd9       call   0x8055978 &lt;whereError+11004&gt; <br>
而且调用结束后还有一个比较跳转的动作, 那么我们就跟踪进去看看 <br>
(gdb) break *0x8055978 <br>
Breakpoint 3 at 0x8055978 <br>
(gdb) c <br>
Continuing. <br>
<br>
Breakpoint 3, 0x8055978 in whereError () <br>
(gdb) disass 0x8055978 0x805ffff <br>
Dump of assembler code from 0x8055978 to 0x805ffff: <br>
0x8055978 &lt;whereError+11004&gt;:   subl   $0x8,%esp <br>
0x805597b &lt;whereError+11007&gt;:   pushl  %ebp <br>
0x805597c &lt;whereError+11008&gt;:   pushl  %edi <br>
0x805597d &lt;whereError+11009&gt;:   pushl  %esi <br>
12345

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -