汇编编译生成文件的区别
Method 1:
zj@zj-virtual-machine:~/c_study/hitcon2018/abyss/test_shellcode$ cat part1.s
BITS 64
; Open "flag"
push 0x67616c66
push 0x2
pop rax
mov rdi,rsp
xor rsi, rsi
syscall
; Read contents onto stack
mov r9,rax
xor rax,rax
mov rdi,r9
mov rsi,rsp
xor rdx,rdx
mov dl,0x40
syscall
; Write contents to stdout
xor rax,rax
inc al
xor rdi,rdi
inc rdi
mov rsi,rsp
xor rdx,rdx
mov dl,0x40
syscall
jmp $
zj@zj-virtual-machine:~/c_study/hitcon2018/abyss/test_shellcode$ nasm part1.s -o nasm_part1
zj@zj-virtual-machine:~/c_study/hitcon2018/abyss/test_shellcode$ hexdump nasm_part1
0000000 6668 616c 6a67 5802 8948 48e7 f631 050f ##0x68 ~ push
0000010 8949 48c1 c031 894c 48cf e689 3148 b2d2
0000020 0f40 4805 c031 c0fe 3148 48ff c7ff 8948
0000030 48e6 d231 40b2 050f feeb
000003a
小结
nasm part1.s -o nasm_part1 这种方式生产的二进制文件是裸二进制文件,没有任何封装,是对汇编代码的直接翻译成对应的16进制文件,适合通过 read(fd_part1, addr , size) 的方式直接写到程序中指定的内存,供后续使用。
Method 2:
zj@zj-virtual-machine:~/c_study/hitcon2018/abyss/test_shellcode$ nasm –felf64 part1.s -o part1
zj@zj-virtual-machine:~/c_study/hitcon2018/abyss/test_shellcode$ readelf -h part1
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: REL (Relocatable file)
Machine: Advanced Micro Devices X86-64
Version: 0x1
Entry point address: 0x0
Start of program headers: 0 (bytes into file)
Start of section headers: 64 (bytes into file)
Flags: 0x0
Size of this header: 64 (bytes)
Size of program headers: 0 (bytes)
Number of program headers: 0
Size of section headers: 64 (bytes)
Number of section headers: 5
Section header string table index: 2
所以如果要提取代码的16进制码,需要用下面的shell 脚本 处理一下
zj@zj-virtual-machine:~/c_study/hitcon2018/abyss/test_shellcode$ for i in $(objdump -d part1 -M intel |grep "^ " |cut -f2); do echo -n '\x'$i; done;echo
\x68\x66\x6c\x61\x67\x6a\x02\x58\x48\x89\xe7\x48\x31\xf6\x0f\x05\x49\x89\xc1\x48\x31\xc0\x4c\x89\xcf\x48\x89\xe6\x48\x31\xd2\xb2\x40\x0f\x05\x48\x31\xc0\xfe\xc0\x48\x31\xff\x48\xff\xc7\x48\x89\xe6\x48\x31\xd2\xb2\x40\x0f\x05\xeb\xfe
也就说对于有 elf 头封装的汇编代码 , 可以上面的方式提取出核心的代码的16进制码 。