use OBJDUMP+VIM+XXD to disassemble and modify instructions under Linux
2012-08-27 23:23:46| Category: Linux-related | Report | Font size Subscription
It took me one weeks to get the assembly into the door (well, I don't know anything about it), and recently I started to have a little interest in the Assembly, so I wanted to try the disassembly feeling and try to modify the instructions myself.
It is said that after the disassembly of a program to modify the method is to open the program in 16-binary way, and then through some tools to find the relevant location and then use the relevant tools to calculate the offset and so on, and then make the changes, but I have never done disassembly, the assembly is smattering, so it is not so professional, As for the ability to directly use the assembly mnemonic modification I do not know, it is estimated that there should be such a tool, but I did not search, so only try to lower the hexadecimal under the assembly instructions in the form of 16 to modify, if there is such a modification method I hope you can tell me, thank you
Disassembly in Linux we can use the GDB debugger can also use objdump this tool, of course, there are other tools, but here I will not say, and then open the file in hexadecimal we can use XXD, We make a hex-mode change to the file by calling Xxd inside the vim, and of course there are other hex editors, and I'm not going to say it, because I'm also playing, after all, I'm still learning Win32 API (my real egg hurts), so let's start with a simple program.
Let's look at this program first, it's simple, a main function, and a jmp function, normally it's impossible to invoke the JMP function after compiling the link, but all we have to do is disassemble and modify the instructions. Let the program jump to the first address of our JMP function after executing the printf function in the main function to execute the JMP function
Without the use of some special shady means, the effect of the program after the operation is like this
Then we open the executable program file in binary form, VIM can use the-B option to open the file in binary form
Vim-b jmp
You can see it this way, and then we use XXD to compile the file in hexadecimal mode as in
:%!xxd
% represents our current file,! Indicates that we are going to execute an external command (program)
Now we disassemble the program.
Objdump-s-M Intel jmp
After the disassembly of the content is more, we need to see the main function and the JMP function is enough
Now we can see that the main function after the call of the printf function return (from this can be seen to call puts), the next step of the instructions are MOV eax,0x0, we should first look at the disassembly of the program and related parameters it
-S This can actually use-D, so the disassembly will show the address, hexadecimal instructions, and there is the corresponding assembly code-M Intel that we are in the Intel syntax disassembly, Linux under the default assembly syntax format is at and T, this I am not used to (in fact, I do not), All right, let's go ahead and talk.
We just said that after the main function call after the printf function returned the next instruction is to register EAX assigned 0 value, specifically what role does not study, we only say that we are concerned about the problem, that is the jump problem, we want the program to jump to the address of the JMP function, so we have to modify this command
Now let's stop and say our instructions, we're going to jump to jmp, and the corresponding assembly instructions should look something like this.
JMP short jmp behind that JMP is not a assembly instruction, is a function name, of course, is a C language is a valid tag, but in assembly language we do not set the label to this, this instruction after the assembly compiler compiled should be similar to this
JMP 80483C4
The 80483C4 here is the address of 0X080483C4, the JMP function.
So we already know what our instructions are, but how do we say it in hexadecimal?
I'm telling you, this directive should be written like this.
E9 D2 FF FF FF
E9 is a jump to the machine code hexadecimal representation of JMP (this should be a jump in the paragraph, and the outside jump should be ff), the back of the D2 FF FF FF represents the offset, how is this calculated? Okay, first, I'm going to tell you how I know. The machine code hexadecimal representation of the jump in paragraph is why it is E9, It's really simple ... You're not going to write a jmp command yourself and then disassemble it (I'm particularly evil--), okay, here's the problem with offsets.
First from the disassembly of the results we can see that we should jump upward, so the jump is a negative offset value, and the computer internal representation of the symbolic number of the method is to use the complement, the highest bit represents the sign bit, 1 for negative, 0 for positive, the positive complement is the number itself, negative and complementary to the highest position 1, After the other bits are reversed and add 1, we can calculate how much we want to jump up from the results in the disassembly.
This program is used to calculate the jump offset, where a means we want to modify the first address of the instruction and the memory of the instruction itself, B set to the address we want to jump to, so we can calculate the offset, and then we know that we are jumping upward, so to get the complement, here we subtract the number is a positive, The highest bit is 0 so we directly to the number of counter plus 1, so the highest bit is 1, the other bit inversion plus 1, just get negative complement form
After the calculation, we get the result that 0xd2ffffff
Remember the order in which the data is stored in memory Oh, so our final code is E9 D2 FF FF FF
This is our use of XXD open after the 16 binary form, we open the command we want to modify, how to find you should be able to see it, using Vim's own search function, very simple, and then we can be modified to replace our E9 D2 FF FF FF the rear B8 00 00 00 00 ( This is still a good replacement, although I am here to replace and then back up the previous instructions, but this is because our program has a large number of NOP instructions, so it can be overwritten, but if not, then if we add directly inside it will lead to a mess of the program, this everyone can personally experience the next
Once the modification is complete, we
:%!xxd-r
The other commands are the same as before, the-R parameter indicates that we go back to the previous layer after the modification, that is, we have just opened the executable file in binary form of the situation, of course, it is now modified by our program, of course, do not forget to save, do not save is blind busy
Now let's run the program again and see how it works.
Ha, look, we did it. After executing the first printf function of the main function, we jump the process of the program to the JMP function, and we let the program change the original execution path by dark means.
Now let's disassemble this file that has been modified by us, and we can see that the instruction after we call the printf function in the main function is just a jump instruction, and we can see the address that we want to jump to after it.
All right, here it's all over, if you have time to torture and study you can try to change it to other instructions to achieve different purposes, even to do some damage, crack something
Transferred from: http://blog.163.com/lixiangqiu_9202/blog/static/535750372012727102618226/
Linux-Disassembly (to be perfected) (turn)
