汇编入门二 杂记之简单修改汇编代码

简单修改汇编代码

Diy 1:

zj@zj-virtual-machine:~/c_study/hitcon2018/abyss/test_shellcode$ cat  part1_diy1.s 
BITS 64

; Open "flag"
push   0x67616c66
push   0x2
pop    rax
mov    rdi,rsp
xor    rsi, rsi
syscall

; Read contents onto stack

mov    rdi, rax
xor    rax,rax
mov    rsi,rsp
xor    rdx,rdx
mov    rdx,0x40
syscall

; Write contents to stdout
xor    rax,rax
inc    al
xor    rdi,rdi
inc    rdi
mov    rsi,rsp
xor    rdx,rdx
mov    dl,0x40
syscall

jmp $
zj@zj-virtual-machine:~/c_study/hitcon2018/abyss/test_shellcode$ nasm -felf64 -o part1_diy1.o part1_diy1.s 
zj@zj-virtual-machine:~/c_study/hitcon2018/abyss/test_shellcode$ ld part1_diy1.o -o part1_diy1.elf
ld: warning: cannot find entry symbol _start; defaulting to 0000000000400080
zj@zj-virtual-machine:~/c_study/hitcon2018/abyss/test_shellcode$ ./part1_diy1.elf 
this_is_a_test

Diy 2:

zj@zj-virtual-machine:~/c_study/hitcon2018/abyss/test_shellcode$ cat  part1_diy2.s 
BITS 64

; Open "flag"
push   0x67616c66
push   0x2
pop    rax
mov    rdi,rsp
xor    rsi, rsi
syscall

; Read contents onto stack

mov    rdi, rax
xor    rax,rax
mov    rsi,rsp
xor    rdx,rdx
mov    rdx,0x40
syscall

; Write contents to stdout
xor    rax,rax
inc    rax
mov    rdi, 1
mov    rsi,rsp
xor    rdx,rdx
mov    dl,0x40
syscall

jmp $
zj@zj-virtual-machine:~/c_study/hitcon2018/abyss/test_shellcode$ nasm -felf64 -o part1_diy2.o part1_diy2.s 
zj@zj-virtual-machine:~/c_study/hitcon2018/abyss/test_shellcode$ ld part1_diy2.o -o part1_diy2.elf
ld: warning: cannot find entry symbol _start; defaulting to 0000000000400080
zj@zj-virtual-machine:~/c_study/hitcon2018/abyss/test_shellcode$ ./part1_diy2.elf
this_is_a_test

n<���n<���n<���n<� �n<�

对比一下不同写法的16进制文件

zj@zj-virtual-machine:~/c_study/hitcon2018/abyss/test_shellcode$ hexdump nasm_part1 
0000000 6668 616c 6a67 5802 8948 48e7 f631 050f
0000010 8949 48c1 c031 894c 48cf e689 3148 b2d2
0000020 0f40 4805 c031 c0fe 3148 48ff c7ff 8948
0000030 48e6 d231 40b2 050f feeb               
000003a
zj@zj-virtual-machine:~/c_study/hitcon2018/abyss/test_shellcode$ for i in $(objdump -d part1_diy2.elf -M intel |grep "^ " |cut -f2); do echo -n '\x'$i; done;echo
\x68\x66\x6c\x61\x67\x6a\x02\x58\x48\x89\xe7\x48\x31\xf6\x0f\x05\x48\x89\xc7\x48\x31\xc0\x48\x89\xe6\x48\x31\xd2\xba\x40\x00\x00\x00\x0f\x05\x48\x31\xc0\x48\xff\xc0\xbf\x01\x00\x00\x00\x48\x89\xe6\x48\x31\xd2\xb2\x40\x0f\x05\xeb\xfe

这些4字节的数（本身一个字节就可以表示，但是却用了4个字节，自然会增加很多 \x00 字节），可能会被截断在很多函数读入的时候。

注意可以按照顺序输出

zhangji16@zhangji16vm:~/c_study/kvm_study$ hexdump Bin.bin 
0000000 f8ba 0003 04d8 ee30 0ab0 f4ee          
000000c
zhangji16@zhangji16vm:~/c_study/kvm_study$ hexdump -C Bin.bin 
00000000  ba f8 03 00 d8 04 30 ee  b0 0a ee f4              |......0.....|
0000000c