After exploring the distribution of the class member variables, locate a coredump example to practice one:
(gdb) bt#0 0x0804863c in xuzhina_dump_c06_s2_ex::p rint () () #1 0x08048713 in Main ()
Take a look at XUZHINA_DUMP_C06_S2_EX: A compilation of the:p rint:
(GDB) Disassemble 0x0804863c Dump of assembler code for function _zn22xuzhina_dump_c06_s2_ex5printev: 0x08048610 <+0>: Push%ebp 0x08048611 <+1>: mov%esp,%ebp 0x08048613 <+3>: Sub $ 0x28,%esp 0x08048616 <+6>: Movl $0x0,-0xc (%EBP) 0x0804861d <+13>: jmp 0x804869b <_zn22xuzhina_ Dump_c06_s2_ex5printev+139> 0x0804861f <+15>: mov 0x8 (%EBP),%eax 0x08048622 <+18>: Movzwl (%ea x),%eax 0x08048625 <+21>: Cwtl 0x08048626 <+22>: Test%eax,%eax 0x08048628 <+24>: je 0x8048631 <_ZN22xuzhina_dump_c06_s2_ex5printEv+33> 0x0804862a <+26>: CMP $0x1,%eax 0x0804862d & Lt;+29>: je 0x8048654 <_ZN22xuzhina_dump_c06_s2_ex5printEv+68> 0x0804862f <+31>: jmp 0x8048676 <_ZN22xuzhina_dump_c06_s2_ex5printEv+102> 0x08048631 <+33>: mov 0x8 (%EBP),%eax 0x08048634 <+36> ;: mov 0x14 (%eax),%edx 0x08048637 <+39>: mov-0xc (%EBP),%eax 0x0804863a <+42>: Add%edx,%eax=> 0x0804863c < ; +44>: Movzbl (%eax),%eax 0x0804863f <+47>: MOVSBL%al,%eax 0x08048642 <+50>: mov%eax,0x4 ( %ESP) 0x08048646 <+54>: Movl $0x80487c4, (%ESP) 0x0804864d <+61>: Call 0x80484a0 <[email Protected]> 0x08048652 <+66>: jmp 0x8048697 <_ZN22xuzhina_dump_c06_s2_ex5printEv+135> 0x08048654 < ; +68>: mov 0x8 (%EBP),%eax 0x08048657 <+71>: mov 0x14 (%eax),%eax 0x0804865a <+74>: mov -0XC (%EBP),%edx 0x0804865d <+77>: SHL $0x2,%edx 0x08048660 <+80>: Add%edx,%eax 0x08048662 <+82>: Flds (%eax) 0x08048664 <+84>: Fstpl 0x4 (%ESP) 0x08048668 <+88>: Movl $0x80487c8 , (%ESP) 0x0804866f <+95>: Call 0x80484a0 <[email protected]> 0x08048674 <+100>: jmp 0x80 48697 <_zn22xuzhina_dUmp_c06_s2_ex5printev+135> 0x08048676 <+102>: mov 0x8 (%EBP),%eax 0x08048679 <+105>: mov 0x14 ( %EAX),%eax 0x0804867c <+108>: mov-0xc (%EBP),%edx 0x0804867f <+111>: SHL $0x2,%edx 0x08048682 <+114>: Add%edx,%eax 0x08048684 <+116>: mov (%EAX),%eax 0x08048686 <+118>: mov%eax, 0x4 (%ESP) 0x0804868a <+122>: Movl $0x80487cc, (%ESP) 0x08048691 <+129>: Call 0x80484a0 <[EMAIL&N Bsp;protected]> 0x08048696 <+134>: Nop 0x08048697 <+135>: Addl $0x1,-0xc (%EBP) 0x0804869b <+ 139>: mov 0x8 (%EBP),%eax 0x0804869e <+142>: mov 0x18 (%eax),%eax 0X080486A1 <+145>: CMP- 0XC (%EBP),%eax 0x080486a4 <+148>: Seta%al 0x080486a7 <+151>: Test%al,%al 0x080486a9 <+153&G t;: jne 0x804861f <_ZN22xuzhina_dump_c06_s2_ex5printEv+15> 0x080486af <+159>: Leave 0x080486b0 &L T;+160>: Ret End of assembler dump.
Since XUZHINA_DUMP_C06_S2_EX can be seen from the symbol table::p rint is a member function of the class XUZHINA_DUMP_C06_S2_EX, the this pointer is passed as the first parameter when the class member function is called, knowing ebp+ 8 holds the this pointer.
Again by the crash command address is 0x0804863c, you can put this command address near the assembly analysis as follows:
0x0804862f <+31>: jmp 0x8048676 <_ZN22xuzhina_dump_c06_s2_ex5printEv+102> 0x08048631 <+33 : mov 0x8 (%EBP),%eax//this pointer 0x08048634 <+36>: mov 0x14 (%eax),%edx// Offset this pointer 20-byte member variable 0x08048637 <+39>: mov -0xc (%EBP),%eax//a local variable 0x0804863a <+42> : Add %edx,%eax//The member variable is an array of = 0x0804863c <+44>: movzbl (%EAX),%eax//the member variable is a char
And 0x0804862f is unconditional jump, that is, 0x08048631 this instruction should be from other places to jump over.
0x08048628 <+24>: JE 0x8048631 <_ZN22xuzhina_dump_c06_s2_ex5printEv+33>
Check out the assembly near 0x00401073, which can be analyzed as follows
0x0804861f <+15>: mov 0x8 (%EBP),%eax//this pointer 0x08048622 <+18>: movzwl (%eax),%eax// The first member variable, the type is short 0x08048625 <+21>: cwtl 0x08048626 <+22>: test %eax,%eax// Whether the first member variable is 0 0x08048628 <+24>: JE 0x8048631 <_ZN22xuzhina_dump_c06_s2_ex5printEv+33> 0x0804862a <+26>: cmp $0x1,%eax//Whether the first member variable is 1 0x0804862d <+29>: JE 0x8048654 <_ZN22xuzhina_dump_c06_s2_ex5printEv+68> 0x0804862f <+31>: jmp 0x8048676 <_ Zn22xuzhina_dump_c06_s2_ex5printev+102>
Thus, when the first member variable (named flag) is 0 o'clock, the branch that contains the crash instruction is executed. In other words, the structure of this piece of assembly is as follows
if (flag = = 0) {...} else if (flag = = 1) {...}}else{...}Now try to find out what the local variable ebp-0xc is in.
0x08048616 <+6>: movl $0x0,-0xc (%EBP) 0x0804861d <+13>: jmp x804869b <_ zn22xuzhina_dump_c06_s2_ex5printev+139> 0x0804861f <+15>: mov 0x8 (%EBP),%eax 0x08048697 <+135>: addl $0x1,-0xc (%EBP) 0x0804869b <+139>: mov 0x8 (%EBP),% EAX 0x0804869e <+142>: mov 0x18 (%eax),%eax 0x080486a1 <+145>: cmp -0xc (%EBP),%eax 0x080486a4 <+148>: seta %al 0x080486a7 <+151>: test %al,% Al 0x080486a9 <+153>: jne 0x804861f <_ZN22xuzhina_dump_c06_s2_ex5printEv+15>
As can be seen from the above paragraph, ebp-0xc stores a count variable, which is an index, and is in a loop consisting of a 0x804861f-0x080486a9 range of instruction addresses. So
0x08048631 <+33>: mov 0x8 (%EBP),%eax//this pointer 0x08048634 <+36>: mov 0x14 (%eax),% edx//offset this pointer 20 bytes member variable 0x08048637 <+39>: mov -0xc (%EBP),%eax//a local variable 0x0804863a <+42 Add %edx,%eax//The member variable is an array of = 0x0804863c <+44>: movzbl (%EAX),%eax//the member variable is a char
You can see that the eax+14h is a char pointer that is named PTR when the this pointer is offset by a 20-byte member variable. By
0x0804869b <+139>: mov 0x8 (%EBP),%eax 0x0804869e <+142>: mov 0x18 (%eax),%eax 0X080486A1 <+145>: cmp -0xc (%EBP),%eax 0x080486a4 <+148>: seta %al 0x080486a7 <+151>: test %al,%al 0x080486a9 <+153>: jne 0x804861f <_ Zn22xuzhina_dump_c06_s2_ex5printev+15>
The inferred this pointer offset 0x18, or 24-byte member variable, is a maximum integer named Num.
As can be known from above, the class xuzhina_dump_c06_s2_ex is probably as follows:
Class Xuzhina_dump_c06_s2_ex{private: Short flag; First member variable char unknown[n]; Unknown number of member variables, counted in bytes only. n = 16 or n=18 char* ptr; int num; Specifies the number of elements in PTR above public: void print (), ...};By
(gdb) x/x $ebp +80xbfe09690: 0xbfe096b4 (GDB) x/x 0xbfe096b4+0x140xbfe096c8: 0x69766544 (GDB) x/x 0x697665440x69766544: cannot access memory at address 0x69766544
It is known that the class member variable of PTR is modified to 0x69766544, so it will be coredump. Now look at the value of this object:
(GDB) x/8x 0xbfe096b40xbfe096b4: 0x68540000 0x73497369 0x726f5741 0x7546646c0xbfe096c4: 0x664f6c6c 0x69766544 0x4f6f4e6c 0x6143656e
From these values, most of them are in the ASCII code range, which is 0-127 (0x7f). Try to see if it's.
Since the first member variable flag takes two bytes, the starting address of the view should be 0xbfe096b6.
(GDB) x/s 0xbfe096b60xbfe096b6: "Thisisaworldfullofdevilnoonecansurvie"
Its length is 37. That is, it overwrites the value of the Ptr,num.
So where did it come from, when it was constructed or somewhere else? To figure this out, first look at the assembly of the main function:
(GDB) disassemble maindump of assembler code for function MAIN:0X080486B1 <+0>: Push%EBP 0x080486b2 < +1>: mov%esp,%ebp 0x080486b4 <+3>: and $0xfffffff0,%esp 0x080486b7 <+6>: Sub $0x4 0,%esp 0x080486ba <+9>: Cmpl $0x2,0x8 (%EBP) 0x080486be <+13>: JG 0x80486c7 <main+22> 0X080486C0 <+15>: mov $0xffffffff,%eax 0x080486c5 <+20>: jmp 0x8048718 <main+103> 0x0804 86c7 <+22>: mov 0xc (%EBP),%eax 0x080486ca <+25>: add $0x8,%eax 0x080486cd <+28>: mov (%eax),%eax 0x080486cf <+30>: mov%eax, (%ESP) 0x080486d2 <+33>: Call 0x8048480 <[EMAIL&NB Sp;protected]> 0x080486d7 <+38>: mov 0xc (%EBP),%edx 0x080486da <+41>: Add $0x8,%edx 0x080 486DD <+44>: mov (%edx),%ecx 0x080486df <+46>: mov 0xc (%EBP),%edx 0x080486e2 <+49>: A DD $0x4,%edx 0x080486e5 <+52>: mov (%edx),%edx 0x080486e7 <+54>: mov%eax,0x10 (%ESP) 0x080486eb <+58>: M OV%ecx,0xc (%ESP) 0x080486ef <+62>: Movl $0x0,0x8 (%ESP) 0x080486f7 <+70>: mov%edx,0x4 (%ESP) 0X080486FB <+74>: Lea 0x24 (%ESP),%eax 0x080486ff <+78>: mov%eax, (%ESP) 0x08048702 <+81& GT: Call 0x80485d0 <_ZN22xuzhina_dump_c06_s2_exC2EPcsPvj> 0x08048707 <+86>: Lea 0x24 (%ESP),%eax 0x0804870b <+90>: mov%eax, (%ESP) 0x0804870e <+93>: Call 0x8048610 <_zn22xuzhina_dump_c06_s2 _ex5printev> 0x08048713 <+98>: mov $0x0,%eax 0x08048718 <+103>: jmp 0x8048722 <MAIN+113&G T 0X0804871A <+105>: mov%eax, (%ESP) 0x0804871d <+108>: Call 0x80484c0 <[email protected]> 0x08048722 <+113>: Leave 0x08048723 <+114>: ret End of assembler dump.
By combining the above compilation and
(gdb) Shell c++filt _zn22xuzhina_dump_c06_s2_exc2epcspvjxuzhina_dump_c06_s2_ex::xuzhina_dump_c06_s2_ex (char*, Short, void*, unsigned int) (GDB) Shell c++filt _zn22xuzhina_dump_c06_s2_ex5printev xuzhina_dump_c06_s2_ex::p rint ()
It is known that the main function only calls four functions, strlen, class XUZHINA_DUMP_C06_S2_EX constructors and member functions print, and _unwind_resume (description visible/HTTP/ refspecs.linuxfoundation.org/lsb_1.3.0/glsb/glsb/baselib--unwind-resume.html)
Visible, the main function simply calls the class XUZHINA_DUMP_C06_S2_EX two external interfaces, a constructor, a print member function. Then, the member variable ptr,num of the class XUZHINA_DUMP_C06_S2_EX should be initialized in the constructor.
by the following
0x080486e7 <+54>: mov %eax,0x10 (%esp) 0x080486eb <+58>: mov %ecx,0xc (%ESP) 0x080486ef <+62>: movl $0x0,0x8 (%esp) 0x080486f7 <+70>: mov %edx,0x4 (%ESP) 0X080486FB <+74>: Lea 0x24 (%ESP),%eax 0x080486ff <+78>: mov %eax, (% ESP) 0x08048702 <+81>: call 0x80485d0 <_ZN22xuzhina_dump_c06_s2_exC2EPcsPvj>
From the four push instructions, it is possible to guess that the class xuzhina_dump_c06_s2_ex constructor has four parameters (five parameters minus the default this parameter of this pointer).
Take a look at the constructor:
(GDB) disassemble _zn22xuzhina_dump_c06_s2_exc2epcspvjdump of assembler code for function _zn22xuzhina_dump_c06_s2_ Exc2epcspvj:0x080485d0 <+0>: Push%ebp 0x080485d1 <+1>: mov%esp,%ebp 0x080485d3 <+3> ;: Sub $0x28,%esp 0x080485d6 <+6>: mov 0x10 (%EBP),%eax 0x080485d9 <+9>: mov%ax,-0xc ( %EBP) 0x080485dd <+13>: mov 0x8 (%EBP),%eax 0x080485e0 <+16>: mov 0x14 (%EBP),%edx 0x080485e3 <+19>: mov%edx,0x14 (%eax) 0x080485e6 <+22>: mov 0x8 (%EBP),%eax 0x080485e9 <+25>: mov 0x18 (%EBP),%edx 0x080485ec <+28>: mov%edx,0x18 (%eax) 0x080485ef <+31>: mov 0x8 (%EBP),%eax 0X080485F2 <+34>: Lea 0x2 (%EAX),%edx 0x080485f5 <+37>: mov 0xc (%EBP),%eax 0x080485f8 <+4 0>: mov%eax,0x4 (%ESP) 0X080485FC <+44>: mov%edx, (%ESP) 0x080485ff <+47>: Call 0x8048 490 <[email protected]&Gt 0x08048604 <+52>: mov 0x8 (%EBP),%eax 0x08048607 <+55>: movzwl-0xc (%EBP),%edx 0x0804860b <+59& GT: mov%dx, (%eax) 0x0804860e <+62>: Leave 0x0804860f <+63>: ret End of assembler dump.
By
0x080485d6 <+6>: mov 0x10 (%EBP),%eax 0x080485dd <+13>: mov 0x8 (%EBP),%eax 0x080485e0 <+16>: mov 0x14 (%EBP),%edx 0x080485e6 <+22>: mov 0x8 (%EBP),%eax 0x080485f5 <+37>: mov 0xc (%EBP),%eax
With these five instructions, the parameters of the class Xuzhina_dump_c06_s2_ex constructor are indeed four.
Again by ebp+8 the this pointer and the following four paragraphs of code
0X080485DD <+13>: mov 0x8 (%EBP),%eax 0x080485e0 <+16>: mov 0x14 (%EBP),%edx 0x080485e3 <+19>: mov %edx,0x14 (%eax) 0x080485e6 <+22>: mov 0x8 (%EBP),%eax 0x080485e9 <+25>: mov 0x18 (%EBP),%edx 0x080485ec <+28>: mov %edx,0x18 (%EAX) 0x080485ef <+31>: mov 0x8 (%EBP),%eax 0x080485f2 <+34>: Lea 0x2 (%eax),%edx 0x080485f5 <+37>: mov 0xc (%EBP),%eax 0x08048604 <+52>: mov 0x8 (%EBP), %eax 0x08048607 <+55>: movzwl-0xc (%EBP),%edx 0x0804860b <+59>: mov %dx, (% eax
The class XUZHINA_DUMP_C06_S2_EX only has four member variables. and by
0x080485ef <+31>: mov 0x8 (%EBP),%eax 0x080485f2 <+34>: Lea 0x2 (%eax),%edx// Just offset 2 bytes 0x080485f5 <+37>: mov 0xc (%EBP),%eax 0x080485f8 <+40>: mov %eax, 0x4 (%ESP) 0x080485fc <+44>: mov %edx, (%ESP) 0x080485ff <+47>: Call 0x8048490 <[email protected]>
The second member variable is a char array with a size of 18 bytes. In other words, the definition of this class might look like this:
Class Xuzhina_dump_c06_s2_ex{private: Short flag; First member variable char str[18]; Temporarily named Str char* ptr; int num; Specify the number of elements in PTR public: void print (), ...};Since PTR (offset value in 0x14h) This member variable is behind STR, and
0x080485ef <+31>: mov 0x8 (%EBP),%eax 0x080485f2 <+34>: Lea 0x2 (%eax),%edx 0x080485f5 <+37>: mov 0xc (%EBP),%eax 0x080485f8 <+40>: mov %eax,0x4 (%ESP) 0X080485FC <+44>: mov %edx, (%ESP) 0x080485ff <+47>: call 0x8048490 <[email protected]>
Therefore, the value of PTR may be overwritten at strcpy. By strcpy's prototype
Char *strcpy (char *dest, const char *SRC);
And
0x080485f5 <+37>: mov 0xc (%EBP),%eax
0x080485f8 <+40>: mov%eax,0x4 (%ESP)
It is known that SRC is the first parameter of a class XUZHINA_DUMP_C06_S2_EX constructor (not the default this pointer). Then jump to the main function frame and see where the first argument passed to the constructor came from.
This section is compiled by the main function
0X080486DF <+46>: mov 0xc (%EBP),%edx//second parameter argv 0x080486e2 <+49>: add $0x4,%edx/ /argv[1] Address 0x080486e5 <+52>: mov (%edx),%edx 0x080486e7 <+54> ;: mov %eax, 0x10 (%ESP) 0x080486eb <+58>: mov %ecx,0xc (%esp) 0x080486ef <+62>: MOVL $0x0,0x8 (%ESP) 0x080486f7 <+70>: mov %edx,0x4 (%esp) 0X080486FB <+74>: Lea 0x24 (%ESP),%eax 0x080486ff <+78>: mov %eax, (%ESP) 0x08048702 <+81 : Call 0x80485d0 <_ZN22xuzhina_dump_c06_s2_exC2EPcsPvj>
It is known that the first parameter of the class XUZHINA_DUMP_C06_S2_EX constructor is passed in by the second parameter of the main function, argv[1]. Take a look at argv[1] how much
(GDB) x $ebp +0xc0xbfe096e4: 0xbfe09774 (GDB) x 0xbfe09774+40xbfe09778: 0xbfe0a6a3 (GDB) x/s 0XBFE0A6A30XBFE0A6A3: "Thisisaworldfullofdevilnoonecansurvie"
The string parsed above is exactly the same. That is, due to improper use of strcpy, resulting in the rewriting of PTR, resulting in coredump.
Examples of source code:
1 #include <string.h> 2 #include <stdio.h> 3 class XUZHINA_DUMP_C06_S2_EX 4 {5 Private:6 Short M_type; 7 Char m_name[16]; 8 void* m_ptr; 9 unsigned int m_len; Public:11 xuzhina_dump_c06_s2_ex (char* name, short type, void* data, unsigned int len ); void print (); 14}; XUZHINA_DUMP_C06_S2_EX::XUZHINA_DUMP_C06_S2_EX (char* name, short type, void* data, unsigned int len) 1 8 {m_ptr = data; m_len = Len; strcpy (m_name, name); m_type = type; HINA_DUMP_C06_S2_EX::p rint () {(unsigned int i = 0; i < M_len; i++) {switch (m_type ) to {0:33 printf ("%c", * ((char*) m_ptr + i)); a break; Case 1:36 printf ("%f", * ((float*) m_ptr + i)); PNS break; default:39 printf ("%d", * ((int*) m_ptr + i)); a break; }43} argc int main (int, char* argv[]) (ARGC < 3) + Retu rn-1; XUZHINA_DUMP_C06_S2_EX Test (Argv[1], 0, argv[2], strlen (argv[2])); Test.print (); 0; 56}
"Coredump Problem principle Inquiry" Linux x86 version 6.3 section has member variables of class Coredump example
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
