汇编入门一 杂记之 不同编译选项下生成的文件区别

汇编编译生成文件的区别

Method 1:

zj@zj-virtual-machine:~/c_study/hitcon2018/abyss/test_shellcode$ cat part1.s
BITS 64

; Open "flag"
push   0x67616c66
push   0x2
pop    rax
mov    rdi,rsp
xor    rsi, rsi
syscall

; Read contents onto stack
mov    r9,rax
xor    rax,rax
mov    rdi,r9
mov    rsi,rsp
xor    rdx,rdx
mov    dl,0x40
syscall

; Write contents to stdout
xor    rax,rax
inc    al
xor    rdi,rdi
inc    rdi
mov    rsi,rsp
xor    rdx,rdx
mov    dl,0x40
syscall

jmp $

zj@zj-virtual-machine:~/c_study/hitcon2018/abyss/test_shellcode$ nasm part1.s -o nasm_part1

zj@zj-virtual-machine:~/c_study/hitcon2018/abyss/test_shellcode$ hexdump nasm_part1 
0000000 6668 616c 6a67 5802 8948 48e7 f631 050f   ##0x68 ~ push
0000010 8949 48c1 c031 894c 48cf e689 3148 b2d2
0000020 0f40 4805 c031 c0fe 3148 48ff c7ff 8948
0000030 48e6 d231 40b2 050f feeb               
000003a

小结

nasm part1.s -o nasm_part1 这种方式生产的二进制文件是裸二进制文件，没有任何封装，是对汇编代码的直接翻译成对应的16进制文件，适合通过 read(fd_part1, addr , size) 的方式直接写到程序中指定的内存，供后续使用。

Method 2:

zj@zj-virtual-machine:~/c_study/hitcon2018/abyss/test_shellcode$ nasm –felf64 part1.s -o part1
zj@zj-virtual-machine:~/c_study/hitcon2018/abyss/test_shellcode$ readelf -h part1
ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              REL (Relocatable file)
  Machine:                           Advanced Micro Devices X86-64
  Version:                           0x1
  Entry point address:               0x0
  Start of program headers:          0 (bytes into file)
  Start of section headers:          64 (bytes into file)
  Flags:                             0x0
  Size of this header:               64 (bytes)
  Size of program headers:           0 (bytes)
  Number of program headers:         0
  Size of section headers:           64 (bytes)
  Number of section headers:         5
  Section header string table index: 2

所以如果要提取代码的16进制码，需要用下面的shell 脚本 处理一下

zj@zj-virtual-machine:~/c_study/hitcon2018/abyss/test_shellcode$ for i in $(objdump -d part1 -M intel |grep "^ " |cut -f2); do echo -n '\x'$i; done;echo
\x68\x66\x6c\x61\x67\x6a\x02\x58\x48\x89\xe7\x48\x31\xf6\x0f\x05\x49\x89\xc1\x48\x31\xc0\x4c\x89\xcf\x48\x89\xe6\x48\x31\xd2\xb2\x40\x0f\x05\x48\x31\xc0\xfe\xc0\x48\x31\xff\x48\xff\xc7\x48\x89\xe6\x48\x31\xd2\xb2\x40\x0f\x05\xeb\xfe

也就说对于有 elf 头封装的汇编代码 ， 可以上面的方式提取出核心的代码的16进制码 。