[英]Trying to understand example char_array2.c from “the art of exploitation”
OK so I am really trying to understand what's going on this example of "The art of exploitation" second edition. 好的,所以我真的想了解这个“剥削艺术”第二版的例子。 I am trying to see exactly what is going on with the example by closely following the output of GDB on the book.
我试图通过密切关注本书中GDB的输出来确切了解该示例的内容。 My greatest problem with this is the last part, I included the whole thing so that everyone can see what's going on.
我最大的问题是最后一部分,我把整个事情都包括在内,这样每个人都可以看到发生了什么。 Granted I only have very(very) basic knowledge of assembly code.
当然,我只有非常(非常)基本的汇编代码知识。 I do understand basic C. In the last part the author says that there is a minor difference in the second run of the program from the last one in the address that strcpy() points to and I just can't see it.
我确实理解基本的C.在最后一部分中,作者说第二次运行程序与strcpy()指向的地址中的最后一次运行存在细微的差别,我只是看不到它。
The program is simply 该计划很简单
#include<stdio.h>
#include<string.h>
int main() {
char str_a[20];
strcpy(str_a, "Hello, world!\n");
printf(str_a);
}
After I compile it with the necessary options to be able to debug it I load it on GDB and include the following: 在我使用必要的选项编译它以便能够调试它之后,我将它加载到GDB上并包含以下内容:
(gdb) break 6
Breakpoint 1 at 0x80483c4: file char_array2.c, line 6.
(gdb) break strcpy
Function "strcpy" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 2 (strcpy) pending.
(gdb) break 8
Breakpoint 3 at 0x80483d7: file char_array2.c, line 8.
(gdb)
I have no problem with this, it is to my understanding that the debugger can only do this sort of things with user defined functions. 我对此没有任何问题,我的理解是调试器只能使用用户定义的函数来执行此类操作。 I also know how to go around this problem with gcc options.
我也知道如何使用gcc选项来解决这个问题。 I also know that when the program runs the strcpy breakpoint is resolved.
我也知道,当程序运行时,strcpy断点得到解决。 Let me continue.
让我继续
(gdb) run
Starting program: /home/reader/booksrc/char_array2
Breakpoint 4 at 0xb7f076f4
Pending breakpoint "strcpy" resolved
Breakpoint 1, main() at char_array2.c:7
7 strcpy(str_a, "Hello, world!\n");
(gdb) i r eip
eip 0x80483c4 0x80483c4 <main+16>
(gdb) x/5i $eip
0x80483c4 <main+16>: mov DWORD PTR [esp+4],0x80484c4
0x80483cc <main+24>: lea eax,[ebp-40]
0x80483cf <main+27>: mov DWORD PTR [esp],eax
0x80483d2 <main+30>: call 0x80482c4 <strcpy@plt>
0x80483d7 <main+35>: lea eax,[ebp-40]
(gdb) continue
Continuing.
Breakpoint 4, 0xb7f076f4 in strcpy () from /lib/tls/i686/cmov/libc.so.6
(gdb) i r eip
eip 0xb7f076f4 0xb7f076f4 <strcpy+4>
(gdb) x/5i $eip
0xb7f076f4 <strcpy+4>: mov esi,DWORD PTR [ebp+8]
0xb7f076f7 <strcpy+7>: mov eax,DWORD PTR [ebp+12]
0xb7f076fa <strcpy+10>: mov ecx,esi
0xb7f076fc <strcpy+12>: sub ecx,eax
0xb7f076fe <strcpy+14>: mov edx,eax
(gdb) continue
Continuing.
Breakpoint 3, main () at char_array2.c:8
8
printf(str_a);
(gdb) i r eip
eip 0x80483d7 0x80483d7 <main+35>
(gdb) x/5i $eip
0x80483d7 <main+35>: lea eax,[ebp-40]
0x80483da <main+38>: mov DWORD PTR [esp],eax
0x80483dd <main+41>: call 0x80482d4 <printf@plt>
0x80483e2 <main+46>: leave
0x80483e3 <main+47>: ret
(gdb)
This is the second run of the program in which supposedly the address to strcpy is different from the other address. 这是程序的第二次运行,其中strcpy的地址与另一地址不同。
(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/reader/booksrc/char_array2
Error in re-setting breakpoint 4:
Function "strcpy" not defined.
Breakpoint 1, main () at char_array2.c:7
7
strcpy(str_a, "Hello, world!\n");
(gdb) bt
#0 main () at char_array2.c:7
(gdb) cont
Continuing.
Breakpoint 4, 0xb7f076f4 in strcpy () from /lib/tls/i686/cmov/libc.so.6
(gdb) bt
#0 0xb7f076f4 in strcpy () from /lib/tls/i686/cmov/libc.so.6
#1 0x080483d7 in main () at char_array2.c:7
(gdb) cont
Continuing.
Breakpoint 3, main () at char_array2.c:8
8
printf(str_a);
(gdb) bt
#0 main () at char_array2.c:8
(gdb)
Where is the difference? 区别在哪里? am I wrong for thinking that 0xb7f076f4 is the address of strcpy?
我错误地认为0xb7f076f4是strcpy的地址吗? On the second run if I am correct everything indicates that the address is 0xb7f076f4.
在第二次运行,如果我是正确的,一切都表明地址是0xb7f076f4。
Also, what is ? 还有,是什么? I can't find the explanation for this anywhere earlier in the book.
我在本书前面的任何地方都找不到解释。 If someone could be kind enough to explain this from the top down to me I would appreciate it so much being that I don't know any expert in real life that could help me.
如果有人能够从上到下向我解释这一点,我将非常感激,因为我不知道现实生活中的任何专家可以帮助我。 I find the explanations to be vague, he explains variables and loops like if he was explaining it to a 5 year old, but leaves much of the assembly code for us to figure out by ourselves, I have not been very successful at this.
我发现解释是模糊的,他解释变量和循环,就像他向5岁时解释它一样,但留下了大部分汇编代码让我们自己弄明白,我在这方面并不是很成功。 Any help would be greatly appreciated.
任何帮助将不胜感激。
Apparently gdb
turns off ASLR for the debugged process to make (session-to-session) debugging easier. 显然
gdb
关闭了调试进程的ASLR ,使(会话到会话)调试更容易。
From https://sourceware.org/gdb/current/onlinedocs/gdb/Starting.html 来自https://sourceware.org/gdb/current/onlinedocs/gdb/Starting.html
set disable-randomization
set disable-randomization on
This option (enabled by default in GDB) will turn off the native
randomization of the virtual address space of the started program.
This option is useful for multiple debugging sessions to make the
execution better reproducible and memory addresses reusable across
debugging sessions.
Set set disable-randomization off
in gdb
or in a .gdbinit
file and try it again. 在
gdb
或.gdbinit
文件中设置set disable-randomization off
并再次尝试。 Libc should now get loaded at a different address each time you run the binary. 现在,每次运行二进制文件时,Libc都应该加载到不同的地址。
Running watch -n 1 cat /proc/self/maps
also is nice to see how the binary and the libraries are mapped at 'random' addresses. 运行
watch -n 1 cat /proc/self/maps
也很高兴看到二进制文件和库如何映射到“随机”地址。
As @Voo said in his comment above, the book probably refers to ASLR (Address Space Layout Randomization) which is a security feature. 正如@Voo在上面的评论中所说,这本书可能是指ASLR(地址空间布局随机化),这是一个安全功能。 It changes how the address space is used for each execution so you can't rely on finding things always in the same place.
它改变了地址空间用于每次执行的方式,因此您不能总是在同一个地方查找内容。
If you don't see it in gdb
that means you have ASLR turned off. 如果你没有在
gdb
中看到它意味着你关闭了ASLR。 Either globally or locally in gdb
. 全局或本地
gdb
。 You can check the former using cat /proc/sys/kernel/randomize_va_space
and the latter using show disable-randomization
command at the gdb
prompt. 您可以使用
cat /proc/sys/kernel/randomize_va_space
检查前者,后者使用show disable-randomization
命令在gdb
提示符下检查。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.