去掉符号后的程序,逆向时如何找到main,如下:
/*
* intel(64) main address
*/
1.readelf -h 找到 Entry point address 地址
(gdb) x/20i 0x555555555080
0x555555555080: endbr64
0x555555555084: xor %ebp,%ebp
0x555555555086: mov %rdx,%r9
0x555555555089: pop %rsi
0x55555555508a: mov %rsp,%rdx
0x55555555508d: and $0xfffffffffffffff0,%rsp
0x555555555091: push %rax
0x555555555092: push %rsp
0x555555555093: lea 0x9e6(%rip),%r8 # 0x555555555a80
0x55555555509a: lea 0x96f(%rip),%rcx # 0x555555555a10
=> 0x5555555550a1: lea 0x910(%rip),%rdi # 0x5555555559b8
0x5555555550a8: callq *0x2f32(%rip) # 0x555555557fe0
0x5555555550ae: hlt
0x5555555550af: nop
0x5555555550b0: lea 0x2f59(%rip),%rdi # 0x555555558010
0x5555555550b7: lea 0x2f52(%rip),%rax # 0x555555558010
0x5555555550be: cmp %rdi,%rax
0x5555555550c1: je 0x5555555550d8
0x5555555550c3: mov 0x2f0e(%rip),%rax # 0x555555557fd8
0x5555555550ca: test %rax,%rax
2.rip 取下一条指令的地址,加上断点指令的常数
0x5555555550a8 + 0x910 = 0x5555555559b8 // main address
/*
* intel(32) main address
*/
1.readelf -h 找到 Entry point address 地址
(gdb) x/20i 0x80483c0
80483c0: 31 ed xor %ebp,%ebp
80483c2: 5e pop %esi
80483c3: 89 e1 mov %esp,%ecx
80483c5: 83 e4 f0 and $0xfffffff0,%esp
80483c8: 50 push %eax
80483c9: 54 push %esp
80483ca: 52 push %edx
80483cb: 68 20 8b 04 08 push $0x8048b20
80483d0: 68 b0 8a 04 08 push $0x8048ab0
80483d5: 51 push %ecx
80483d6: 56 push %esi
80483d7: 68 77 8a 04 08 push $0x8048a77
80483dc: e8 cf ff ff ff call 80483b0 <__libc_start_main@plt>
80483e1: f4 hlt
80483e2: 66 90 xchg %ax,%ax
80483e4: 66 90 xchg %ax,%ax
80483e6: 66 90 xchg %ax,%ax
80483e8: 66 90 xchg %ax,%ax
80483ea: 66 90 xchg %ax,%ax
80483ec: 66 90 xchg %ax,%ax
80483ee: 66 90 xchg %ax,%ax
2.找到最后一个push行
80483d7: 68 77 8a 04 08 push $0x8048a77 // main address
/*
* arm(64) main address
*/
1.readelf -h 找到 Entry point address 地址
(gdb) x/20i 0x400500
400500: d280001d mov x29, #0x0 // #0
400504: d280001e mov x30, #0x0 // #0
400508: aa0003e5 mov x5, x0
40050c: f94003e1 ldr x1, [sp]
400510: 910023e2 add x2, sp, #0x8
400514: 910003e6 mov x6, sp
400518: 580000c0 ldr x0, 400530 <printf@plt+0x40>
40051c: 580000e3 ldr x3, 400538 <printf@plt+0x48>
400520: 58000104 ldr x4, 400540 <printf@plt+0x50>
400524: 97ffffe7 bl 4004c0 <__libc_start_main@plt>
400528: 97ffffee bl 4004e0 <abort@plt>
40052c: 00000000 .inst 0x00000000 ; undefined
400530: 00400c48 .inst 0x00400c48; undefined
400534: 00000000 .inst 0x00000000 ; undefined
400538: 00400c80 .inst 0x00400c80 ; undefined
40053c: 00000000 .inst 0x00000000 ; undefined
400540: 00400d00 .inst 0x00400d00 ; undefined
400544: 00000000 .inst 0x00000000 ; undefined
2.找到第二条变量定义行
400530: 00400c48 .word 0x00400c48 // main address
/*
* arm(32) main address
*/
arm 32bit 的程序 strip 后汇编指令完全是另一番景象,虽然地址与没有strip之前能对上,但指令已经面目全飞。看来碰到这种程序需要逆向的时候,找个main都很难。