ELF binary# readelf -a foo.outELF Header: Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 Class: ELF32 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: EXEC (Executable file) Machine: Intel 80386 Version: 0x1 Entry point address: 0x8048720 Start of program headers: 52 (bytes into file) Start of section headers: 3744 (bytes into file) Flags: 0x0 Size of this header: 52 (bytes) Size of program headers: 32 (bytes) Number of program headers: 8 Size of section headers: 40 (bytes) Number of section headers: 32 Section header string table index: 29

Dynamic section at offset 0xbfc contains 28 entries: Tag Type Name/Value 0x00000001 (NEEDED) Shared library: [libstdc++.so.6] 0x00000001 (NEEDED) Shared library: [libm.so.6] 0x00000001 (NEEDED) Shared library: [libgcc_s.so.1] 0x00000001 (NEEDED) Shared library: [libc.so.6]

Symbol table '.dynsym' contains 18 entries: Num: Value Size Type Bind Vis Ndx Name 0: 00000000 0 NOTYPE LOCAL DEFAULT UND 1: 00000000 0 FUNC GLOBAL DEFAULT UND open@GLIBC_2.0 (2) 2: 00000000 0 FUNC GLOBAL DEFAULT UND __cxa_atexit@GLIBC_2.1.3 (3) 3: 00000000 0 NOTYPE WEAK DEFAULT UND __gmon_start__ 4: 00000000 0 NOTYPE WEAK DEFAULT UND _Jv_RegisterClasses

Print Me

echo "set disassembly-flavor intel" > ~/.gdbinit

(gdb) disassemble /rm mainDump of assembler code for function main(int, char**):2 int main(int argc, char *argv[]) { 0x080483e4 <+0>: 55 push ebp 0x080483e5 <+1>: 89 e5 mov ebp,esp 0x080483e7 <+3>: 83 e4 f0 and esp,0xfffffff0 0x080483ea <+6>: 83 ec 10 sub esp,0x10

3 printf(argv[1]); 0x080483ed <+9>: 8b 45 0c mov eax,DWORD PTR [ebp+0xc] 0x080483f0 <+12>: 83 c0 04 add eax,0x4 0x080483f3 <+15>: 8b 00 mov eax,DWORD PTR [eax] 0x080483f5 <+17>: 89 04 24 mov DWORD PTR [esp],eax 0x080483f8 <+20>: e8 03 ff ff ff call 0x8048300 <printf@plt> 0x080483fd <+25>: b8 00 00 00 00 mov eax,0x0

4 } 0x08048402 <+30>: c9 leave 0x08048403 <+31>: c3 ret

End of assembler dump.

Hello World! - assembly; from Hacking: The art of Exploitation by Jon EricksonBITS 32

call mark_below ; instructions belowdb "Hello, world!", 0x0a, 0x0d ; add newline/cr to end

mark_below:pop ecx ; pop the return address into

ecx;; this should be the string ptrmov eax, 4 ; write system call #4 (write)mov ebx, 1 ; STDOUT file descriptormov edx, 15 ; the length of the stringint 0x80 ; do syscall: write(1,string,15)

;; exit properlymov eax, 1 ; syscall #1 (exit)mov ebx, 0 ; status result = 0int 0x80 ; do syscall: exit(0)

; from Hacking: The art of Exploitation by Jon EricksonBITS 32

call mark_below ; instructions below

db "Hello, world!", 0x0a, 0x0d ; add newlinemark_below:

pop ecx ; pop the return … ecx

;; this should be the string ptrmov eax, 4 ; write system call

#4 (write)mov ebx, 1 ; STDOUT file

descriptormov edx, 15 ; the length of the

stringint 0x80 ; do syscall:

write(1,string,15?)

;; exit properlymov eax, 1 ; syscall #1 (exit)mov ebx, 0 ; status result = 0int 0x80 ; do syscall: exit(0)

$ ndisasm –b 32 hello00000000 E80F000000 call dword 0x1400000005 48 dec eax00000006 656C gs insb00000008 6C insb00000009 6F outsd0000000A 2C20 sub al,0x200000000C 776F ja 0x7d0000000E 726C jc 0x7c00000010 64210A and [fs:edx],ecx00000013 0D59B80400 or eax,0x4b85900000018 0000 add [eax],al0000001A BB01000000 mov ebx,0x10000001F BA0F000000 mov edx,0xf00000024 CD80 int 0x8000000026 B801000000 mov eax,0x10000002B BB00000000 mov ebx,0x000000030 CD80 int 0x80

Hello World! - assembly

Reversing

(gdb) disassemble /m mainDump of assembler code for function main():4 int main() { 0x0804848c <+0>: push ebp 0x0804848d <+1>: mov ebp,esp 0x0804848f <+3>: sub esp,0x10

5 int count;67 y=y+3; 0x08048492 <+6>: mov eax,ds:0x8049744 0x08048497 <+11>: add eax,0x3 0x0804849a <+14>: mov ds:0x8049744,eax

8 x=x+y; 0x0804849f <+19>: mov edx,DWORD PTR ds:0x8049740 0x080484a5 <+25>: mov eax,ds:0x8049744 0x080484aa <+30>: add eax,edx 0x080484ac <+32>: mov ds:0x8049740,eax

9 if (x<y) 0x080484b1 <+37>: mov edx,DWORD PTR ds:0x8049740 0x080484b7 <+43>: mov eax,ds:0x8049744 0x080484bc <+48>: cmp edx,eax 0x080484be <+50>: jge 0x80484ca <main()+62>

10 x=1; 0x080484c0 <+52>: mov DWORD PTR ds:0x8049740,0x1

Frame Setup

if comparison

continue if not <

arithmetic

1112 for (count=1; count<10; count++) 0x080484ca <+62>: mov DWORD PTR [ebp-0x4],0x1 0x080484d1 <+69>: jmp 0x80484e4 <main()+88> 0x080484e0 <+84>: add DWORD PTR [ebp-0x4],0x1 0x080484e4 <+88>: cmp DWORD PTR [ebp-0x4],0x9 0x080484e8 <+92>: setle al 0x080484eb <+95>: test al,al 0x080484ed <+97>: jne 0x80484d3 <main()+71>

13 x++; 0x080484d3 <+71>: mov eax,ds:0x8049740 0x080484d8 <+76>: add eax,0x1 0x080484db <+79>: mov ds:0x8049740,eax

14 } 0x080484ef <+99>: mov eax,0x0 0x080484f4 <+104>: leave

global variable - memory

local variable - stackloops

// count=1

// count++

// compare count to 9// al=1 if count<=9

// al & al (set flags)