assembly 反向工程cpp / asm代码的问题(只是为了学习)

yqhsw0fo  于 2022-11-13  发布在  其他
关注(0)|答案(1)|浏览(208)

我正在尝试一些cpp二进制反汇编。我写了这个非常简单的代码:

#include <iostream>

int main() {
    int i=0; int i2=0; 
    for(int i=0; i<1000000; i++) {i2++; std::cout << "\n" << i2;} 
    return 0;
}

然后我用g++编译了它,代码如下:

g++ .cpp -o .cpp.bin

我接着又跑了一句:

objdump -d .cpp.bin

以下是我提取的内容:

;1lim.cpp.bin:     file format elf64-x86-64
;Disassembly of section .init:
_init:
endbr64 
sub    $0x8,%rsp
mov    0x2fd9(%rip),%rax        
test   %rax,%rax
je     1016 <_init+0x16>
call   *%rax
add    $0x8,%rsp
ret    

;Disassembly of section .plt:
.plt:
push   0x2f7a(%rip)       
bnd jmp *0x2f7b(%rip)        
nopl   (%rax)
endbr64 
push   $0x0
bnd jmp 1020 <_init+0x20>
nop
endbr64 
push   $0x1
bnd jmp 1020 <_init+0x20>
nop
endbr64 
push   $0x2
bnd jmp 1020 <_init+0x20>
nop
endbr64 
push   $0x3
bnd jmp 1020 <_init+0x20>
nop

;Disassembly of section .plt.got:
__cxa_finalize@plt:
endbr64 
bnd jmp *0x2f55(%rip)        
nopl   0x0(%rax,%rax,1)

;Disassembly of section .plt.sec:
__cxa_atexit@plt:
endbr64 
bnd jmp *0x2f25(%rip)        
nopl   0x0(%rax,%rax,1)

_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc@plt:
endbr64 
bnd jmp *0x2f1d(%rip)        
nopl   0x0(%rax,%rax,1)

_ZNSt8ios_base4InitC1Ev@plt:
endbr64 
bnd jmp *0x2f15(%rip)        
nopl   0x0(%rax,%rax,1)

_ZNSolsEi@plt:
endbr64 
bnd jmp *0x2f0d(%rip)        
nopl   0x0(%rax,%rax,1)

;Disassembly of section .text:
_start:
endbr64 
xor    %ebp,%ebp
mov    %rdx,%r9
pop    %rsi
mov    %rsp,%rdx
and    $0xfffffffffffffff0,%rsp
push   %rax
push   %rsp
xor    %r8d,%r8d
xor    %ecx,%ecx
lea    0xca(%rip),%rdi       
call   *0x2ef3(%rip)        
hlt    
cs nopw 0x0(%rax,%rax,1) 

deregister_tm_clones:
lea    0x2f19(%rip),%rdi        
lea    0x2f12(%rip),%rax        
cmp    %rdi,%rax
je     1118 <deregister_tm_clones+0x28>
mov    0x2ed6(%rip),%rax        
test   %rax,%rax
je     1118 <deregister_tm_clones+0x28>
jmp    *%rax
nopl   0x0(%rax)
ret    
nopl   0x0(%rax)

register_tm_clones:
lea    0x2ee9(%rip),%rdi        
lea    0x2ee2(%rip),%rsi        
sub    %rdi,%rsi
mov    %rsi,%rax
shr    $0x3f,%rsi
sar    $0x3,%rax
add    %rax,%rsi
sar    %rsi
je     1158 <register_tm_clones+0x38>
mov    0x2ea5(%rip),%rax        
test   %rax,%rax
je     1158 <register_tm_clones+0x38>
jmp    *%rax
nopw   0x0(%rax,%rax,1)
ret    
nopl   0x0(%rax)

__do_global_dtors_aux:
endbr64 
cmpb   $0x0,0x2fe5(%rip)        
jne    1198 <__do_global_dtors_aux+0x38>
push   %rbp
cmpq   $0x0,0x2e5a(%rip)        
mov    %rsp,%rbp
je     1187 <__do_global_dtors_aux+0x27>
mov    0x2e86(%rip),%rdi        
call   1070 <__cxa_finalize@plt>
call   10f0 <deregister_tm_clones>
movb   $0x1,0x2fbd(%rip)        
pop    %rbp
ret    
nopl   (%rax)
ret    
nopl   0x0(%rax)

frame_dummy:
endbr64 
jmp    1120 <register_tm_clones>

main:
endbr64 
push   %rbp
mov    %rsp,%rbp
sub    $0x10,%rsp
movl   $0x0,-0x4(%rbp)
movl   $0x0,-0xc(%rbp)
movl   $0x0,-0x8(%rbp)
jmp    11fd <main+0x54>
addl   $0x1,-0xc(%rbp)
lea    0xe2d(%rip),%rax        
mov    %rax,%rsi
lea    0x2e5f(%rip),%rax       
mov    %rax,%rdi
call   1090 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc@plt>
mov    %rax,%rdx
mov    -0xc(%rbp),%eax
mov    %eax,%esi
mov    %rdx,%rdi
call   10b0 <_ZNSolsEi@plt>
addl   $0x1,-0x8(%rbp)
cmpl   $0xf423f,-0x8(%rbp)
jle    11cc <main+0x23>
mov    $0x0,%eax
leave  
ret    

_Z41__static_initialization_and_destruction_0ii:
endbr64 
push   %rbp
mov    %rsp,%rbp
sub    $0x10,%rsp
mov    %edi,-0x4(%rbp)
mov    %esi,-0x8(%rbp)
cmpl   $0x1,-0x4(%rbp)
jne    1260 <_Z41__static_initialization_and_destruction_0ii+0x53>
cmpl   $0xffff,-0x8(%rbp)
jne    1260 <_Z41__static_initialization_and_destruction_0ii+0x53>
lea    0x2f1c(%rip),%rax        
mov    %rax,%rdi
call   10a0 <_ZNSt8ios_base4InitC1Ev@plt>
lea    0x2dc4(%rip),%rax        
mov    %rax,%rdx
lea    0x2f03(%rip),%rax        
mov    %rax,%rsi
mov    0x2da0(%rip),%rax        
mov    %rax,%rdi
call   1080 <__cxa_atexit@plt>
nop
leave  
ret    

_GLOBAL__sub_I_main:
endbr64 
push   %rbp
mov    %rsp,%rbp
mov    $0xffff,%esi
mov    $0x1,%edi
call   120d <_Z41__static_initialization_and_destruction_0ii>
pop    %rbp
ret    

;Disassembly of section .fini:
_fini:
endbr64 
sub    $0x8,%rsp
add    $0x8,%rsp
ret

我现在试着用下面的话来解释它:

nasm -f elf64 .asm

我怎么可能修复汇编代码,以便尝试用NASM编译它(它已经是我从objdump中得到的一个巧妙修改的版本)

62lalag4

62lalag41#

我对这个问题的答案是这样的:不运行前面加引号的命令,而是使用以下命令:

gcc -S .cpp

这将产生以下代码:

.file   "1lim.cpp"
    .text
    .local  _ZStL8__ioinit
    .comm   _ZStL8__ioinit,1,1
    .section    .rodata
.LC0:
    .string "\n"
    .text
    .globl  main
    .type   main, @function
main:
.LFB1731:
    .cfi_startproc
    endbr64
    pushq   %rbp
    .cfi_def_cfa_offset 16
    .cfi_offset 6, -16
    movq    %rsp, %rbp
    .cfi_def_cfa_register 6
    subq    $16, %rsp
    movl    $0, -4(%rbp)
    movl    $0, -12(%rbp)
    movl    $0, -8(%rbp)
    jmp .L2
.L3:
    addl    $1, -12(%rbp)
    leaq    .LC0(%rip), %rax
    movq    %rax, %rsi
    leaq    _ZSt4cout(%rip), %rax
    movq    %rax, %rdi
    call    _ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc@PLT
    movq    %rax, %rdx
    movl    -12(%rbp), %eax
    movl    %eax, %esi
    movq    %rdx, %rdi
    call    _ZNSolsEi@PLT
    addl    $1, -8(%rbp)
.L2:
    cmpl    $999999, -8(%rbp)
    jle .L3
    movl    $0, %eax
    leave
    .cfi_def_cfa 7, 8
    ret
    .cfi_endproc
.LFE1731:
    .size   main, .-main
    .type   _Z41__static_initialization_and_destruction_0ii, @function
_Z41__static_initialization_and_destruction_0ii:
.LFB2229:
    .cfi_startproc
    endbr64
    pushq   %rbp
    .cfi_def_cfa_offset 16
    .cfi_offset 6, -16
    movq    %rsp, %rbp
    .cfi_def_cfa_register 6
    subq    $16, %rsp
    movl    %edi, -4(%rbp)
    movl    %esi, -8(%rbp)
    cmpl    $1, -4(%rbp)
    jne .L7
    cmpl    $65535, -8(%rbp)
    jne .L7
    leaq    _ZStL8__ioinit(%rip), %rax
    movq    %rax, %rdi
    call    _ZNSt8ios_base4InitC1Ev@PLT
    leaq    __dso_handle(%rip), %rax
    movq    %rax, %rdx
    leaq    _ZStL8__ioinit(%rip), %rax
    movq    %rax, %rsi
    movq    _ZNSt8ios_base4InitD1Ev@GOTPCREL(%rip), %rax
    movq    %rax, %rdi
    call    __cxa_atexit@PLT
.L7:
    nop
    leave
    .cfi_def_cfa 7, 8
    ret
    .cfi_endproc
.LFE2229:
    .size   _Z41__static_initialization_and_destruction_0ii, .-_Z41__static_initialization_and_destruction_0ii
    .type   _GLOBAL__sub_I_main, @function
_GLOBAL__sub_I_main:
.LFB2230:
    .cfi_startproc
    endbr64
    pushq   %rbp
    .cfi_def_cfa_offset 16
    .cfi_offset 6, -16
    movq    %rsp, %rbp
    .cfi_def_cfa_register 6
    movl    $65535, %esi
    movl    $1, %edi
    call    _Z41__static_initialization_and_destruction_0ii
    popq    %rbp
    .cfi_def_cfa 7, 8
    ret
    .cfi_endproc
.LFE2230:
    .size   _GLOBAL__sub_I_main, .-_GLOBAL__sub_I_main
    .section    .init_array,"aw"
    .align 8
    .quad   _GLOBAL__sub_I_main
    .hidden __dso_handle
    .ident  "GCC: (Ubuntu 11.2.0-19ubuntu1) 11.2.0"
    .section    .note.GNU-stack,"",@progbits
    .section    .note.gnu.property,"a"
    .align 8
    .long   1f - 0f
    .long   4f - 1f
    .long   5
0:
    .string "GNU"
1:
    .align 8
    .long   0xc0000002
    .long   3f - 2f
2:
    .long   0x3
3:
    .align 8
4:

要编译它,只需执行以下操作:

g++ .s -o .s.bin

然后运行它,这只是一个问题

./.s.bin

现在我的问题是:我如何对可执行文件或二进制文件做同样的事情?
显然,答案在于使用一个叫做objconv的二进制文件,它代表以正确的方式将c++二进制文件转换成汇编代码。显然,它可以安装在任何使用anaconda packge和环境管理器的操作系统上
"干杯"

相关问题