最近在看《黑客攻防技术宝典:系统篇》,在分析书中一些例子时,又对原来c中一些知识点有了新的认识。
0x01 环境
OS:Debian3r4
GCC:gcc version 3.3.5 (Debian 1:3.3.5-13)
GDB:GNU gdb 6.3-debian
编译命令:gcc -g victim.c -o victim
gdb调试命令:gdb --args ./victim "AAAAA"
0x02 源码
//victim.c
#include <stdio.h>
void func(char *str)
{
int a=0;
printf("%p\n",&str);
printf("%s\n", str);
}
int main(int argc, char *argv[])
{
char little_array[512];
//if (argc > 1)
//strcpy(little_array,argv[1]);//-----------------------1
//printf("%s,%s,%s,%s\n", argv[2],argv[3],argv[4],argv[5]);//----------------------2
//func(argv[3]);//---------------------3
}
gdb反编译源码
yerx@debian:~$ gdb --args ./victim "AAAAA"
GNU gdb 6.3-debian
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-linux"...Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) disassemble main
Dump of assembler code for function main:
0x080483b9 <main+0>: push %ebp
0x080483ba <main+1>: mov %esp,%ebp
0x080483bc <main+3>: sub $0x208,%esp
0x080483c2 <main+9>: and $0xfffffff0,%esp
0x080483c5 <main+12>: mov $0x0,%eax
0x080483ca <main+17>: sub %eax,%esp
0x080483cc <main+19>: leave
0x080483cd <main+20>: ret
End of assembler dump.
(gdb)
0x03 知识点
-
数组变量分配的空间大小
从上面的汇编代码中可以看出这里分配的空间为520(0x208)个字节大小,而不是512个字节,做个试验可以看出,在数组长度<=4个字节,分配的空间为0x8,在数组长度4<len(array)<8,分配空间为0x18,=8时,分配空间为0x8。
-
main函数的argv参数
main函数的argc参数表示参数数量,argv表示实际参数字符串数组,argv不只是含有输入的参数,还包括环境变量的字符串。(gdb) disassemble main Dump of assembler code for function main: 0x080483b9 <main+0>: push %ebp 0x080483ba <main+1>: mov %esp,%ebp 0x080483bc <main+3>: sub $0x28,%esp 0x080483bf <main+6>: and $0xfffffff0,%esp 0x080483c2 <main+9>: mov $0x0,%eax 0x080483c7 <main+14>: sub %eax,%esp 0x080483c9 <main+16>: leave 0x080483ca <main+17>: ret End of assembler dump. (gdb) b *0x080483b9 Breakpoint 1 at 0x80483b9: file victim.c, line 10. (gdb) run Starting program: /home/yerx/victim AAAAAAAA Breakpoint 1, main (argc=134513593, argv=0x2) at victim.c:10 10 { (gdb) i r esp esp 0xbffffb4c 0xbffffb4c (gdb) x/20x 0xbffffb50 0xbffffb50: 0x00000002 0xbffffba4 0xbffffbb0 0x080482c0 0xbffffb60: 0x00000000 0x4000bcd0 0x4014bdb4 0x40016ca0 0xbffffb70: 0x00000002 0x080482c0 0x00000000 0x080482e1 0xbffffb80: 0x080483b9 0x00000002 0xbffffba4 0x080483d0 0xbffffb90: 0x08048430 0x4000c380 0xbffffb9c 0x00000000 (gdb) x/20x 0xbffffb54 0xbffffb54: 0xbffffba4 0xbffffbb0 0x080482c0 0x00000000 0xbffffb64: 0x4000bcd0 0x4014bdb4 0x40016ca0 0x00000002 0xbffffb74: 0x080482c0 0x00000000 0x080482e1 0x080483b9 0xbffffb84: 0x00000002 0xbffffba4 0x080483d0 0x08048430 0xbffffb94: 0x4000c380 0xbffffb9c 0x00000000 0x00000002 (gdb) x/20x 0xbffffba4 0xbffffba4: 0xbffffc86 0xbffffc98 0x00000000 0xbffffca1 0xbffffbb4: 0xbffffcb1 0xbffffcbc 0xbffffcc6 0xbffffefb 0xbffffbc4: 0xbfffff0a 0xbfffff15 0xbfffff21 0xbfffff5b 0xbffffbd4: 0xbfffff67 0xbfffff76 0xbfffff81 0xbfffff8a 0xbffffbe4: 0xbfffff92 0xbfffffa7 0xbfffffb7 0xbfffffd2 (gdb) x/ws 0xbffffc86 0xbffffc86: "/home/yerx/victim" (gdb) x/20ws 0xbffffc86 0xbffffc86: "/home/yerx/victim" 0xbffffc98: "AAAAAAAA" 0xbffffca1: "SHELL=/bin/bash" 0xbffffcb1: "TERM=xterm" 0xbffffcbc: "USER=yerx" 0xbffffcc6: "LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01"... 0xbffffd8e: ";31:*.gz=01;31:*.bz2=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.ti"... 0xbffffe56: "ff=01;35:*.png=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.avi=01;35:*.fli=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.ogg=01;35:*.mp3=01;35:*.wav=01;35:" 0xbffffefb: "SUDO_USER=root" 0xbfffff0a: "SUDO_UID=0" 0xbfffff15: "COLUMNS=121" 0xbfffff21: "PATH=/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games" 0xbfffff5b: "_=/bin/bash" 0xbfffff67: "PWD=/home/yerx" 0xbfffff76: "LANG=zh_CN" 0xbfffff81: "LINES=46" 0xbfffff8a: "SHLVL=2" 0xbfffff92: "SUDO_COMMAND=/bin/su" 0xbfffffa7: "HOME=/home/yerx" 0xbfffffb7: "LANGUAGE=zh_CN:zh:en_US:en" (gdb)