Entry Point 주소 찾기
pwndbg> info file
Symbols from "/home/ion/wargame/dreamhack/Base64_Encoder/deploy/chall".
Native process:
Using the running image of child Thread 0x7ffff7fb1740 (LWP 3594).
While running this, GDB does not access memory from...
Local exec file:
`/home/ion/wargame/dreamhack/Base64_Encoder/deploy/chall', file type elf64-x86-64.
Entry point: 0x555555555180
0x0000555555554318 - 0x0000555555554334 is .interp
0x0000555555554338 - 0x0000555555554368 is .note.gnu.property
0x0000555555554368 - 0x000055555555438c is .note.gnu.build-id
0x000055555555438c - 0x00005555555543ac is .note.ABI-tag
info file 명령어로 Entry point 주소 찾기Engry point : 0x555555555180
main 함수 주소 찾기
pwndbg> pdisas 0x555555555180 10
► 0x555555555180 endbr64
0x555555555184 xor ebp, ebp EBP => 0
0x555555555186 mov r9, rdx
0x555555555189 pop rsi
0x55555555518a mov rdx, rsp
0x55555555518d and rsp, 0xfffffffffffffff0
0x555555555191 push rax
0x555555555192 push rsp
0x555555555193 xor r8d, r8d R8D => 0
0x555555555196 xor ecx, ecx ECX => 0
0x555555555198 lea rdi, [rip + 0x351] RDI => 0x5555555554f0 ◂— endbr64
0x55555555519f call qword ptr [rip + 0x2e33] <__libc_start_main>
0x5555555551a5 hlt
0x5555555551a6 nop word ptr cs:[rax + rax]
0x5555555551b0 lea rdi, [rip + 0x2eb1] RDI => 0x555555558068
0x5555555551b7 lea rax, [rip + 0x2eaa] RAX => 0x555555558068
0x5555555551be cmp rax, rdi
0x5555555551c1 je 0x5555555551d8 <0x5555555551d8>
0x5555555551c3 mov rax, qword ptr [rip + 0x2e16] RAX, [0x555555557fe0] => 0
0x5555555551ca test rax, rax
0x5555555551cd je 0x5555555551d8 <0x5555555551d8>
call qword ptr [rip + 0x2e33] <__libc_start_main> 위에 rdi 레지스터에 대입되는 값이 main 함수의 주소main : 0x5555555554f0
pwndbg> nearpc 0x5555555554f0
► 0x5555555554f0 endbr64
0x5555555554f4 push rbp
0x5555555554f5 mov rbp, rsp
0x5555555554f8 sub rsp, 0xc0
0x5555555554ff movabs rax, 0x657962206f686365 RAX => 0x657962206f686365 ('echo bye')
0x555555555509 mov edx, 0 EDX => 0
0x55555555550e mov qword ptr [rbp - 0x30], rax
0x555555555512 mov qword ptr [rbp - 0x28], rdx
0x555555555516 mov qword ptr [rbp - 0x20], 0
0x55555555551e mov qword ptr [rbp - 0x18], 0
0x555555555526 mov eax, 0 EAX => 0
nearpc 명령어로 해당 주소 근처의 명령어를 확인해보면 main 함수의 프롤로그 확인 가능
main 함수 진입하기
pwndbg> b * 0x5555555554f0
Breakpoint 1 at 0x5555555554f0
main 함수 주소에 break point 설정
pwndbg> c
Continuing.
Breakpoint 1, 0x00005555555554f0 in ?? ()
continue 명령어를 입력하면 main 함수로 진입
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
─────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]─────────────────────────────────
*RAX 0x5555555554f0 ◂— endbr64
RBX 0
*RCX 0x555555557d78 —▸ 0x555555555220 ◂— endbr64
*RDX 0x7fffffffded8 —▸ 0x7fffffffe1d6 ◂— 'HOSTTYPE=x86_64'
*RDI 1
*RSI 0x7fffffffdec8 —▸ 0x7fffffffe19e ◂— '/home/ion/wargame/dreamhack/Base64_Encoder/deploy/chall'
*R8 0x7ffff7e1bf10 (initial+16) ◂— 4
*R9 0x7ffff7fc9040 (_dl_fini) ◂— endbr64
*R10 0x7ffff7fc3908 ◂— 0xd00120000000e
*R11 0x7ffff7fde660 (_dl_audit_preinit) ◂— endbr64
*R12 0x7fffffffdec8 —▸ 0x7fffffffe19e ◂— '/home/ion/wargame/dreamhack/Base64_Encoder/deploy/chall'
*R13 0x5555555554f0 ◂— endbr64
*R14 0x555555557d78 —▸ 0x555555555220 ◂— endbr64
*R15 0x7ffff7ffd040 (_rtld_global) —▸ 0x7ffff7ffe2e0 —▸ 0x555555554000 ◂— 0x10102464c457f
*RBP 1
*RSP 0x7fffffffddb8 —▸ 0x7ffff7c29d90 (__libc_start_call_main+128) ◂— mov edi, eax
*RIP 0x5555555554f0 ◂— endbr64
──────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]──────────────────────────────────────────
► 0x5555555554f0 endbr64
0x5555555554f4 push rbp
0x5555555554f5 mov rbp, rsp RBP => 0x7fffffffddb0 ◂— 1
0x5555555554f8 sub rsp, 0xc0 RSP => 0x7fffffffdcf0 (0x7fffffffddb0 - 0xc0)
0x5555555554ff movabs rax, 0x657962206f686365 RAX => 0x657962206f686365 ('echo bye')
0x555555555509 mov edx, 0 EDX => 0
0x55555555550e mov qword ptr [rbp - 0x30], rax [0x7fffffffdd80] <= 0x657962206f686365 ('echo bye')
0x555555555512 mov qword ptr [rbp - 0x28], rdx [0x7fffffffdd88] <= 0
0x555555555516 mov qword ptr [rbp - 0x20], 0 [0x7fffffffdd90] <= 0
0x55555555551e mov qword ptr [rbp - 0x18], 0 [0x7fffffffdd98] <= 0
0x555555555526 mov eax, 0 EAX => 0
───────────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffddb8 —▸ 0x7ffff7c29d90 (__libc_start_call_main+128) ◂— mov edi, eax
01:0008│ 0x7fffffffddc0 ◂— 0
02:0010│ 0x7fffffffddc8 —▸ 0x5555555554f0 ◂— endbr64
03:0018│ 0x7fffffffddd0 ◂— 0x1ffffdeb0
04:0020│ 0x7fffffffddd8 —▸ 0x7fffffffdec8 —▸ 0x7fffffffe19e ◂— '/home/ion/wargame/dreamhack/Base64_Encoder/deploy/chall'
05:0028│ 0x7fffffffdde0 ◂— 0
06:0030│ 0x7fffffffdde8 ◂— 0x76e1713fc63e8bb3
07:0038│ 0x7fffffffddf0 —▸ 0x7fffffffdec8 —▸ 0x7fffffffe19e ◂— '/home/ion/wargame/dreamhack/Base64_Encoder/deploy/chall'
─────────────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────────────
► 0 0x5555555554f0 None
1 0x7ffff7c29d90 __libc_start_call_main+128
2 0x7ffff7c29e40 __libc_start_main+128
3 0x5555555551a5 None
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Context 에서 main 함수의 프롤로그 확인 가능
