[제9장] 디버깅
=================================================================
* Subject : [제9장] 디버깅
* Writer: w0rm9 (research.hackerschool.org)
* Date: 2004/02/06
=================================================================
/* 책은 완전 무시하고 스터디 시간에 한 걸 위주로...
* 문제 소스는 상원님이 강의하셨던 걸로...
*/
0x01. test1
[w0rm9@work GDB]$ gdb -q test1
(gdb) disas main
Dump of assembler code for function main:
0x08048328 <main+0>: push %ebp
0x08048329 <main+1>: mov %esp,%ebp
0x0804832b <main+3>: sub $0x8,%esp
0x0804832e <main+6>: and $0xfffffff0,%esp
0x08048331 <main+9>: mov $0x0,%eax
0x08048336 <main+14>: sub %eax,%esp
0x08048338 <main+16>: movl $0xa,0xfffffffc(%ebp) // 변수에 a(Hex) => 10(Dec) 할당
0x0804833f <main+23>: cmpl $0x64,0xfffffffc(%ebp) // 이 변수를 64(Hex) => 100(Dec)와 비교
0x08048343 <main+27>: jne 0x8048357 <main+47> // jump not equal 경우 main+47로 점프
0x08048345 <main+29>: sub $0xc,%esp
0x08048348 <main+32>: push $0x8048418
0x0804834d <main+37>: call 0x8048268 <printf>
0x08048352 <main+42>: add $0x10,%esp
0x08048355 <main+45>: jmp 0x8048367 <main+63>
0x08048357 <main+47>: sub $0xc,%esp
0x0804835a <main+50>: push $0x8048425
0x0804835f <main+55>: call 0x8048268 <printf>
0x08048364 <main+60>: add $0x10,%esp
0x08048367 <main+63>: leave
0x08048368 <main+64>: ret
0x08048369 <main+65>: nop
0x0804836a <main+66>: nop
0x0804836b <main+67>: nop
End of assembler dump.
(gdb) b *main+23
Breakpoint 1 at 0x804833f
(gdb) r
Starting program: /home/w0rm9/tmp/GDB/test1
Breakpoint 1, 0x0804833f in main ()
(gdb) x/d $ebp-4 // $ebp-4의 값을 보면
0xbffffb14: 10 // 10이 할당되어 있음
(gdb) set *0xbffffb14=100 // 0xbffffb14가 100이면 if문을 통과할 수 있으므로
(gdb) c
Continuing.
You got it!
Program exited with code 014.
(gdb) q
[w0rm9@work GDB]$ cat test1.c
#include <stdio.h>
int main() {
int a = 10;
if (a==100){
printf("You got it!\n");
} else{
printf("Oooops!, try again!\n");
}
}
0x02. test2
[w0rm9@work GDB]$ gdb -q test2
(gdb) disas main
Dump of assembler code for function main:
0x0804835c <main+0>: push %ebp
0x0804835d <main+1>: mov %esp,%ebp
0x0804835f <main+3>: sub $0x8,%esp
0x08048362 <main+6>: and $0xfffffff0,%esp
0x08048365 <main+9>: mov $0x0,%eax
0x0804836a <main+14>: sub %eax,%esp
0x0804836c <main+16>: call 0x804829c <getuid> // getuid() 호출
0x08048371 <main+21>: mov %eax,0xfffffffc(%ebp) // 호출된 값을 넣고
0x08048374 <main+24>: cmpl $0x0,0xfffffffc(%ebp) // 그 값이 0 인지 비교
0x08048378 <main+28>: jne 0x804838c <main+48>
0x0804837a <main+30>: sub $0xc,%esp
0x0804837d <main+33>: push $0x8048450
0x08048382 <main+38>: call 0x804828c <printf>
0x08048387 <main+43>: add $0x10,%esp
0x0804838a <main+46>: jmp 0x804839f <main+67>
0x0804838c <main+48>: sub $0x8,%esp
0x0804838f <main+51>: pushl 0xfffffffc(%ebp)
0x08048392 <main+54>: push $0x8048466
0x08048397 <main+59>: call 0x804828c <printf>
0x0804839c <main+64>: add $0x10,%esp
0x0804839f <main+67>: leave
0x080483a0 <main+68>: ret
0x080483a1 <main+69>: nop
0x080483a2 <main+70>: nop
0x080483a3 <main+71>: nop
End of assembler dump.
(gdb) b *main+24
Breakpoint 1 at 0x8048374
(gdb) r
Starting program: /home/w0rm9/tmp/GDB/test2
Breakpoint 1, 0x08048374 in main ()
(gdb) x/d $ebp-4
0xbffffb14: 519 // 현재 w0rm9(uid=519)
(gdb) set *0xbffffb14=0 // 0으로 설정
(gdb) c
Continuing.
Password is WiseGuyz
Program exited with code 025.
(gdb) q
[w0rm9@work GDB]$ cat test2.c
#include <stdio.h>
int main() {
int uid;
uid = getuid();
if( uid == 0) {
printf("Password is WiseGuyz\n");
} else {
printf("You are %d\n",uid);
}
}
[w0rm9@work GDB]$ gdb -q test2 // 다른 방법
(gdb) disas main
Dump of assembler code for function main:
0x0804835c <main+0>: push %ebp
0x0804835d <main+1>: mov %esp,%ebp
0x0804835f <main+3>: sub $0x8,%esp
0x08048362 <main+6>: and $0xfffffff0,%esp
0x08048365 <main+9>: mov $0x0,%eax
0x0804836a <main+14>: sub %eax,%esp
0x0804836c <main+16>: call 0x804829c <getuid>
0x08048371 <main+21>: mov %eax,0xfffffffc(%ebp) // 이번엔 여기서 뷁걸고 eax를 변경함
0x08048374 <main+24>: cmpl $0x0,0xfffffffc(%ebp)
0x08048378 <main+28>: jne 0x804838c <main+48>
0x0804837a <main+30>: sub $0xc,%esp
0x0804837d <main+33>: push $0x8048450
0x08048382 <main+38>: call 0x804828c <printf>
0x08048387 <main+43>: add $0x10,%esp
0x0804838a <main+46>: jmp 0x804839f <main+67>
0x0804838c <main+48>: sub $0x8,%esp
0x0804838f <main+51>: pushl 0xfffffffc(%ebp)
0x08048392 <main+54>: push $0x8048466
0x08048397 <main+59>: call 0x804828c <printf>
0x0804839c <main+64>: add $0x10,%esp
0x0804839f <main+67>: leave
0x080483a0 <main+68>: ret
0x080483a1 <main+69>: nop
0x080483a2 <main+70>: nop
0x080483a3 <main+71>: nop
End of assembler dump.
(gdb) b *main+21
Breakpoint 1 at 0x8048371
(gdb) r
Starting program: /home/w0rm9/tmp/GDB/test2
Breakpoint 1, 0x08048371 in main ()
(gdb) info reg
eax 0x207 519 // 현재 519임
ecx 0x40155a0c 1075141132
edx 0x401587b8 1075152824
ebx 0x401581c0 1075151296
esp 0xbffffb10 0xbffffb10
ebp 0xbffffb18 0xbffffb18
esi 0x40015360 1073828704
edi 0xbffffb64 -1073743004
eip 0x8048371 0x8048371
eflags 0x203 515
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x0 0
(gdb) set $eax=0 // 0으로 변경함
(gdb) c // 계속 실행
Continuing.
Password is WiseGuyz
Program exited with code 025.
0x03. test3
[w0rm9@work GDB]$ gdb -q test3
(gdb) disas main
Dump of assembler code for function main:
0x0804835c <main+0>: push %ebp
0x0804835d <main+1>: mov %esp,%ebp
0x0804835f <main+3>: sub $0x18,%esp
0x08048362 <main+6>: and $0xfffffff0,%esp
0x08048365 <main+9>: mov $0x0,%eax
0x0804836a <main+14>: sub %eax,%esp
0x0804836c <main+16>: mov 0x804846c,%eax // 0x804846c <_IO_stdin_used+4>: "WiSeGuYz"
0x08048371 <main+21>: mov %eax,0xffffffe8(%ebp)
0x08048374 <main+24>: mov 0x8048470,%eax // 0x8048470 <_IO_stdin_used+8>: "GuYz"
0x08048379 <main+29>: mov %eax,0xffffffec(%ebp)
0x0804837c <main+32>: mov 0x8048474,%al
0x08048381 <main+37>: mov %al,0xfffffff0(%ebp)
0x08048384 <main+40>: sub $0x8,%esp
0x08048387 <main+43>: push $0x8048475 // srtcmp의 인자값으로 0x8048475 <_IO_stdin_used+13>: "WiseguyZ" 를 넣음
0x0804838c <main+48>: lea 0xffffffe8(%ebp),%eax
0x0804838f <main+51>: push %eax // 그 다음 eax를 넣음 <== 여기서 eax를 0x8048475로 바꿔준다면..^^?
0x08048390 <main+52>: call 0x804827c <strcmp> // 비교
0x08048395 <main+57>: add $0x10,%esp
0x08048398 <main+60>: test %eax,%eax
0x0804839a <main+62>: jne 0x80483ae <main+82>
0x0804839c <main+64>: sub $0xc,%esp
0x0804839f <main+67>: push $0x804847e
0x080483a4 <main+72>: call 0x804829c <printf>
0x080483a9 <main+77>: add $0x10,%esp
0x080483ac <main+80>: jmp 0x80483be <main+98>
0x080483ae <main+82>: sub $0xc,%esp
0x080483b1 <main+85>: push $0x8048496
0x080483b6 <main+90>: call 0x804829c <printf>
0x080483bb <main+95>: add $0x10,%esp
0x080483be <main+98>: leave
0x080483bf <main+99>: ret
End of assembler dump.
(gdb) b *main+51 // setcmp를 호출하기 전 뷁
Breakpoint 1 at 0x804838f
(gdb) r
Starting program: /tmp/gdb/test3
Breakpoint 1, 0x0804838f in main ()
(gdb) set $eax=0x8048475 // eax에 0x8048475를 넣어줌
(gdb) c
Continuing.
Wow!! You are WiseguyZ // 와우
Program exited with code 027.
(gdb) q
[w0rm9@work GDB]$ cat test3.c
#include <stdio.h>
int main() {
char buf[]="WiSeGuYz";
if( !strcmp(buf,"WiseguyZ") ) {
printf("Wow!! You are WiseguyZ\n");
} else {
printf("Hey~ Buddy try again\n");
}
}
0x04. test4
[w0rm9@work GDB]$ gdb -q test4
(gdb) disas main
Dump of assembler code for function main:
0x08048328 <main+0>: push %ebp
0x08048329 <main+1>: mov %esp,%ebp
0x0804832b <main+3>: sub $0x8,%esp
0x0804832e <main+6>: and $0xfffffff0,%esp
0x08048331 <main+9>: mov $0x0,%eax
0x08048336 <main+14>: sub %eax,%esp
0x08048338 <main+16>: cmpl $0xd4,0xfffffffc(%ebp) // d4(Hex) => 212(Dec) 와 변수값을 비교
0x0804833f <main+23>: jne 0x8048351 <main+41> // 다르면 main+41로 가고 같으면 계속 진행 즉 system() 실행
0x08048341 <main+25>: sub $0xc,%esp
0x08048344 <main+28>: push $0x8048400 // "/bin/sh"에 해당
0x08048349 <main+33>: call 0x8048258 <system>
0x0804834e <main+38>: add $0x10,%esp
0x08048351 <main+41>: leave
0x08048352 <main+42>: ret
0x08048353 <main+43>: nop
End of assembler dump.
(gdb) b *main+16
Breakpoint 1 at 0x8048338
(gdb) r
Starting program: /home/w0rm9/tmp/GDB/test4
Breakpoint 1, 0x08048338 in main ()
(gdb) x/d $ebp-4
0xbffffb14: 1073828704 // 선언만 하고 초기화 하지 않아서 랜덤값이 들어가있다.
(gdb) set *0xbffffb14=212 // 212(Dec)로 변경하고
(gdb) x/d $ebp-4 // 제대로 변경되었나 확인
0xbffffb14: 212
(gdb) c // 계속 진행
Continuing.
sh-2.05b$ // systme("/bin/sh"); 실행
0x05. 팁?
[w0rm9@work GDB]$ cat var.c
#include <stdio.h>
int mongii=200;
int main() {
int a=100;
printf("%d\n",a);
printf("%d\n",mongii);
}
[w0rm9@work GDB]$ gdb -q var
(gdb) disas main
Dump of assembler code for function main:
0x08048328 <main+0>: push %ebp
0x08048329 <main+1>: mov %esp,%ebp
0x0804832b <main+3>: sub $0x8,%esp
0x0804832e <main+6>: and $0xfffffff0,%esp
0x08048331 <main+9>: mov $0x0,%eax
0x08048336 <main+14>: sub %eax,%esp
0x08048338 <main+16>: movl $0x64,0xfffffffc(%ebp)
0x0804833f <main+23>: sub $0x8,%esp
0x08048342 <main+26>: pushl 0xfffffffc(%ebp)
0x08048345 <main+29>: push $0x8048418
0x0804834a <main+34>: call 0x8048268 <printf>
0x0804834f <main+39>: add $0x10,%esp
0x08048352 <main+42>: sub $0x8,%esp
0x08048355 <main+45>: pushl 0x804942c
0x0804835b <main+51>: push $0x8048418
0x08048360 <main+56>: call 0x8048268 <printf>
0x08048365 <main+61>: add $0x10,%esp
0x08048368 <main+64>: leave
0x08048369 <main+65>: ret
0x0804836a <main+66>: nop
0x0804836b <main+67>: nop
End of assembler dump.
(gdb) x/x 0x804942c
0x804942c <mongii>: 0x000000c8 // 전역변수의 경우 변수 이름을 알 수 있음
_eof_
