逆向工程 - 使用 dr 命令看不到 rip 地址 - 吾爱随笔录

使用 dr 命令看不到 rip 地址

逆向工程二元分析雷达2 二进制断点

2021-06-23 11:32:01

我刚刚完成了这个挑战。这是主要功能的内容：

[0x08048a86]> pdf
/ (fcn) main 417
|   main (int argc, char **argv, char **envp);
|           ; var int local_16h @ ebp-0x16
|           ; var int local_15h @ ebp-0x15
|           ; var int local_14h @ ebp-0x14
|           ; var int local_10h @ ebp-0x10
|           ; var int local_ch @ ebp-0xc
|           ; var int local_8h_2 @ ebp-0x8
|           ; var char *local_4h @ esp+0x4
|           ; var int local_8h @ esp+0x8
|           ; DATA XREF from entry0 (0x80488a7)
|           0x08048a86      8d4c2404       lea ecx, [local_4h]         ; 4
|           0x08048a8a      83e4f0         and esp, 0xfffffff0
|           0x08048a8d      ff71fc         push dword [ecx - 4]
|           0x08048a90      55             push ebp
|           0x08048a91      89e5           mov ebp, esp
|           0x08048a93      53             push ebx
|           0x08048a94      51             push ecx
|           0x08048a95      83ec20         sub esp, 0x20
|           0x08048a98      89cb           mov ebx, ecx
|           0x08048a9a      833b01         cmp dword [ebx], 1
|       ,=< 0x08048a9d      7f4f           jg 0x8048aee
|       |   0x08048a9f      8b4304         mov eax, dword [ebx + 4]    ; [0x4:4]=-1 ; 4
|       |   0x08048aa2      8b18           mov ebx, dword [eax]
|       |   0x08048aa4      c7442404b18d.  mov dword [local_4h], str.usage_: ; [0x8048db1:4]=0x67617375 ; "usage : "
|       |   0x08048aac      c7042460b004.  mov dword [esp], obj._ZSt4cerr__GLIBCXX_3.4 ; [0x804b060:4]=0
|       |   0x08048ab3      e838fdffff     call sym.std::basic_ostream_char_std::char_traits_char___std::operator___std::char_traits_char___std::basic_ostream_char_std::char_traits_char____charconst
|       |   0x08048ab8      895c2404       mov dword [local_4h], ebx
|       |   0x08048abc      890424         mov dword [esp], eax
|       |   0x08048abf      e82cfdffff     call sym.std::basic_ostream_char_std::char_traits_char___std::operator___std::char_traits_char___std::basic_ostream_char_std::char_traits_char____charconst
|       |   0x08048ac4      c7442404ba8d.  mov dword [local_4h], str.password ; [0x8048dba:4]=0x73617020 ; " password"
|       |   0x08048acc      890424         mov dword [esp], eax
|       |   0x08048acf      e81cfdffff     call sym.std::basic_ostream_char_std::char_traits_char___std::operator___std::char_traits_char___std::basic_ostream_char_std::char_traits_char____charconst
|       |   0x08048ad4      c74424045088.  mov dword [local_4h], sym.std::basic_ostream_char_std::char_traits_char___std::endl_char_std::char_traits_char___std::basic_ostream_char_std::char_traits_char ; [0x8048850:4]=0xb04425ff
|       |   0x08048adc      890424         mov dword [esp], eax
|       |   0x08048adf      e85cfdffff     call sym.std::ostream::operator___std::ostream_____std::ostream
|       |   0x08048ae4      bb05000000     mov ebx, 5
|      ,==< 0x08048ae9      e92b010000     jmp 0x8048c19
|      ||   ; CODE XREF from main (0x8048a9d)
|      |`-> 0x08048aee      8d45eb         lea eax, [local_15h]
|      |    0x08048af1      890424         mov dword [esp], eax
|      |    0x08048af4      e867fdffff     call sym.std::allocator_char_::allocator
|      |    0x08048af9      8d45eb         lea eax, [local_15h]
|      |    0x08048afc      89442408       mov dword [local_8h], eax
|      |    0x08048b00      c7442404c48d.  mov dword [local_4h], 0x8048dc4 ; [0x8048dc4:4]=0xca15d618
|      |    0x08048b08      8d45f4         lea eax, [local_ch]
|      |    0x08048b0b      890424         mov dword [esp], eax
|      |    0x08048b0e      e80dfdffff     call sym.std::basic_string_char_std::char_traits_char__std::allocator_char__::basic_string_charconst__std::allocator_char_const
|      |    0x08048b13      8d45ea         lea eax, [local_16h]
|      |    0x08048b16      890424         mov dword [esp], eax
|      |    0x08048b19      e842fdffff     call sym.std::allocator_char_::allocator
|      |    0x08048b1e      8d45ea         lea eax, [local_16h]
|      |    0x08048b21      89442408       mov dword [local_8h], eax
|      |    0x08048b25      c7442404cc8d.  mov dword [local_4h], 0x8048dcc ; [0x8048dcc:4]=0xaf67b350
|      |    0x08048b2d      8d45f0         lea eax, [local_10h]
|      |    0x08048b30      890424         mov dword [esp], eax
|      |    0x08048b33      e8e8fcffff     call sym.std::basic_string_char_std::char_traits_char__std::allocator_char__::basic_string_charconst__std::allocator_char_const
|      |    0x08048b38      8d45ec         lea eax, [local_14h]
|      |    0x08048b3b      8d55f4         lea edx, [local_ch]
|      |    0x08048b3e      89542408       mov dword [local_8h], edx
|      |    0x08048b42      8d55f0         lea edx, [local_10h]
|      |    0x08048b45      89542404       mov dword [local_4h], edx
|      |    0x08048b49      890424         mov dword [esp], eax
|      |    0x08048b4c      e83cfeffff     call sym.plouf_std::string_std::string
|      |    0x08048b51      83ec04         sub esp, 4
|      |    0x08048b54      8d45f0         lea eax, [local_10h]
|      |    0x08048b57      890424         mov dword [esp], eax
|      |    0x08048b5a      e8a1fcffff     call sym.std::basic_string_char_std::char_traits_char__std::allocator_char__::_basic_string
|      |    0x08048b5f      8d45ea         lea eax, [local_16h]
|      |    0x08048b62      890424         mov dword [esp], eax
|      |    0x08048b65      e8c6fcffff     call sym.std::allocator_char_::_allocator
|      |    0x08048b6a      8d45f4         lea eax, [local_ch]
|      |    0x08048b6d      890424         mov dword [esp], eax
|      |    0x08048b70      e88bfcffff     call sym.std::basic_string_char_std::char_traits_char__std::allocator_char__::_basic_string
|      |    0x08048b75      8d45eb         lea eax, [local_15h]
|      |    0x08048b78      890424         mov dword [esp], eax
|      |    0x08048b7b      e8b0fcffff     call sym.std::allocator_char_::_allocator
|      |    0x08048b80      8b4304         mov eax, dword [ebx + 4]    ; [0x4:4]=-1 ; 4
|      |    0x08048b83      83c004         add eax, 4
|      |    0x08048b86      8b00           mov eax, dword [eax]
|      |    0x08048b88      89442404       mov dword [local_4h], eax
|      |    0x08048b8c      8d45ec         lea eax, [local_14h]
|      |    0x08048b8f      890424         mov dword [esp], eax
|      |    0x08048b92      e860010000     call sym.boolstd::operator___char_std::char_traits_char__std::allocator_char___std::basic_string_char_std::char_traits_char__std::allocator_char__const__charconst
|      |    0x08048b97      84c0           test al, al
|      |,=< 0x08048b99      744a           je 0x8048be5
|      ||   0x08048b9b      c7442404fc8d.  mov dword [local_4h], str.Bravo__tu_peux_valider_en_utilisant_ce_mot_de_passe... ; [0x8048dfc:4]=0x76617242 ; "Bravo, tu peux valider en utilisant ce mot de passe..."
|      ||   0x08048ba3      c7042400b104.  mov dword [esp], obj._ZSt4cout__GLIBCXX_3.4 ; [0x804b100:4]=0
|      ||   0x08048baa      e841fcffff     call sym.std::basic_ostream_char_std::char_traits_char___std::operator___std::char_traits_char___std::basic_ostream_char_std::char_traits_char____charconst
|      ||   0x08048baf      c74424045088.  mov dword [local_4h], sym.std::basic_ostream_char_std::char_traits_char___std::endl_char_std::char_traits_char___std::basic_ostream_char_std::char_traits_char ; [0x8048850:4]=0xb04425ff
|      ||   0x08048bb7      890424         mov dword [esp], eax
|      ||   0x08048bba      e881fcffff     call sym.std::ostream::operator___std::ostream_____std::ostream
|      ||   0x08048bbf      c7442404348e.  mov dword [local_4h], str.Congratz._You_can_validate_with_this_password... ; [0x8048e34:4]=0x676e6f43 ; "Congratz. You can validate with this password..."
|      ||   0x08048bc7      c7042400b104.  mov dword [esp], obj._ZSt4cout__GLIBCXX_3.4 ; [0x804b100:4]=0
|      ||   0x08048bce      e81dfcffff     call sym.std::basic_ostream_char_std::char_traits_char___std::operator___std::char_traits_char___std::basic_ostream_char_std::char_traits_char____charconst
|      ||   0x08048bd3      c74424045088.  mov dword [local_4h], sym.std::basic_ostream_char_std::char_traits_char___std::endl_char_std::char_traits_char___std::basic_ostream_char_std::char_traits_char ; [0x8048850:4]=0xb04425ff
|      ||   0x08048bdb      890424         mov dword [esp], eax
|      ||   0x08048bde      e85dfcffff     call sym.std::ostream::operator___std::ostream_____std::ostream
|     ,===< 0x08048be3      eb24           jmp 0x8048c09
|     |||   ; CODE XREF from main (0x8048b99)
|     ||`-> 0x08048be5      c7442404658e.  mov dword [local_4h], str.Password_incorrect. ; [0x8048e65:4]=0x73736150 ; "Password incorrect."
|     ||    0x08048bed      c7042400b104.  mov dword [esp], obj._ZSt4cout__GLIBCXX_3.4 ; [0x804b100:4]=0
|     ||    0x08048bf4      e8f7fbffff     call sym.std::basic_ostream_char_std::char_traits_char___std::operator___std::char_traits_char___std::basic_ostream_char_std::char_traits_char____charconst
|     ||    0x08048bf9      c74424045088.  mov dword [local_4h], sym.std::basic_ostream_char_std::char_traits_char___std::endl_char_std::char_traits_char___std::basic_ostream_char_std::char_traits_char ; [0x8048850:4]=0xb04425ff
|     ||    0x08048c01      890424         mov dword [esp], eax
|     ||    0x08048c04      e837fcffff     call sym.std::ostream::operator___std::ostream_____std::ostream
|     ||    ; CODE XREF from main (0x8048be3)
|     `---> 0x08048c09      bb00000000     mov ebx, 0
|      |    0x08048c0e      8d45ec         lea eax, [local_14h]
|      |    0x08048c11      890424         mov dword [esp], eax
|      |    0x08048c14      e8e7fbffff     call sym.std::basic_string_char_std::char_traits_char__std::allocator_char__::_basic_string
|      |    ; CODE XREF from main (0x8048ae9)
|      `--> 0x08048c19      89d8           mov eax, ebx
|       ,=< 0x08048c1b      eb75           jmp 0x8048c92
..
|       |   ; CODE XREF from main (0x8048c1b)
|       `-> 0x08048c92      8d65f8         lea esp, [local_8h_2]
|           0x08048c95      59             pop ecx
|           0x08048c96      5b             pop ebx
|           0x08048c97      5d             pop ebp
|           0x08048c98      8d61fc         lea esp, [ecx - 4]
\           0x08048c9b      c3             ret

我通过放置一个断点来解决它，0x08048b99并在我使用命令点击它时打印堆栈pxr @ esp 结果是：

0xffe4a170 0xffe4a184 .... @esp stack R W 0x9f61c8c --> (Here_you_have_to_understand_a_little_C++_stuffs) 0xffe4a174 0xffe4b367 g... edx stack R W 0x43007373 (ss) --> ascii

所以现在，我想以不同的方式再次解决这个挑战。我有两个问题。

第一个问题：起初，在通过这种方式解决之前，我试图在每个比较函数上设置断点，我的想法是像这个视频中那样更改rip地址。我的问题是当我输入命令时dr，我没有 rip 地址。这是我的输出：

hit breakpoint at: 8048b99
[0x08048b99]> dr
eax = 0xffffff00
ebx = 0xffceafa0
ecx = 0x00000004
edx = 0xffceb365
esi = 0xf7d54000
edi = 0xf7d54000
esp = 0xffceaf60
ebp = 0xffceaf88
eip = 0x08048b99
eflags = 0x00000246
oeax = 0xffffffff

为什么我没有 rip 值？如果可能的话，你能解释一下我该怎么做吗？

第二个问题： radare2 中是否有一个我不知道的命令，它允许我直接打印obj._ZSt4cout__GLIBCXX_3.4

1个回答

rip = x64 eip = x86 dr 在您的情况下显示 eip

它可能是一些乱七八糟的名字（不知道为什么radare2插入GLIBC部分）

但是如果你去掉 GLIBC 部分，你可以使用 iD 命令将它分解为 std::cout

[0x01012d6c]> iD cxx _ZSt4cout__GLIBCXX_3.4
[0x01012d6c]> iD cxx _ZSt4cout__GLIBCXX_
[0x01012d6c]> iD cxx _ZSt4cout__GLIBCXX
[0x01012d6c]> iD cxx _ZSt4cout__GLIBC
[0x01012d6c]> iD cxx _ZSt4cout__GL
[0x01012d6c]> iD cxx _ZSt4cout__
[0x01012d6c]> iD cxx _ZSt4cout_
[0x01012d6c]> iD cxx _ZSt4cout
std::cout
[0x01012d6c]> iD cxx _ZSt4cou
[0x01012d6c]>

顺便说一句，我不知道为什么你会得到所有那些难以理解的东西

您是在加载之前还是在加载之后分析了可执行文件？

radare2 比你发布的 pdf 做得更好

只是为了让我没有被一些长期遗忘的记忆所欺骗，我通过箍跑来获取第四个挑战:(并将其加载到radare2中，我相信它确实比您发布的工作做得更好，以防万一经过分析您没有得到可理解的输出检查

e asm.demangle 并将其设置为 true 重新分析并执行 pdf

这是屏幕截图，屏幕截图中的第一个 _Z blah blah 是 std::cerr 由radare2 自动破坏

我的radare2 版本atm 是2.8.xxx 我看到最新的是3.2.xxx 如果最新版本的输出不同尝试联系radare2 团队也许团队中的某个人或者像megabeets 这样的更狂热的用户也可能会在这里响起

其它你可能感兴趣的问题

上一篇使用 Angr 在给定地址开始符号分析下一篇我怎样才能让 IDA 理解带有签名跳转表的这个 switch 语句？