这个问题看起来很基本,但我花了 5 个多小时试图弄清楚。我用 C++ 编写了一个程序,它定义了一些变量并做一些其他的事情。我想在 Radare2 中做的是能够找到存储这些变量之一的内存地址,然后更改它。我认为需要的步骤是:
- 在变量声明处或之后设置断点。
- 查找具有我正在搜索的值的内存地址。在这种情况下 10。
- 更改存储在该地址中的值。
我遇到的最大问题只是知道要查看什么来识别值为 10 的地址。如果我执行pdf主函数中的一个,local_xxx那么我认为我应该查看的内容有很多:
完全拆卸更新
main (int arg_4h);
| ; var int local_9ch @ ebp-0x9c
| ; var int local_8ch @ ebp-0x8c
| ; var int local_88h @ ebp-0x88
| ; var int local_84h @ ebp-0x84
| ; var int local_80h @ ebp-0x80
| ; var int local_7ch @ ebp-0x7c
| ; var int local_64h @ ebp-0x64
| ; var int local_4ch @ ebp-0x4c
| ; var int local_34h @ ebp-0x34
| ; var int local_1ch @ ebp-0x1c
| ; var int local_10h @ ebp-0x10
| ; arg int arg_4h @ esp+0x4
| 0x565f1a18 8d4c2404 lea ecx, [arg_4h] ; 4
| 0x565f1a1c 83e4f0 and esp, 0xfffffff0
| 0x565f1a1f ff71fc push dword [ecx - 4]
| 0x565f1a22 55 push ebp
| 0x565f1a23 89e5 mov ebp, esp
| 0x565f1a25 57 push edi
| 0x565f1a26 56 push esi
| 0x565f1a27 53 push ebx
| 0x565f1a28 51 push ecx
| 0x565f1a29 81ec98000000 sub esp, 0x98
| 0x565f1a2f e8740a0000 call sym.__x86.get_pc_thunk.si
| 0x565f1a34 81c608250000 add esi, 0x2508
| 0x565f1a3a 89c8 mov eax, ecx
| 0x565f1a3c 8b4004 mov eax, dword [eax + 4] ; [0x4:4]=-1 ; 4
| 0x565f1a3f 898564ffffff mov dword [local_9ch], eax
| 0x565f1a45 65a114000000 mov eax, dword gs:[0x14] ; [0x14:4]=-1 ; 20
| 0x565f1a4b 8945e4 mov dword [local_1ch], eax
| 0x565f1a4e 31c0 xor eax, eax
| 0x565f1a50 83ec0c sub esp, 0xc
| 0x565f1a53 8d8578ffffff lea eax, [local_88h]
| 0x565f1a59 50 push eax
| 0x565f1a5a 89f3 mov ebx, esi
| 0x565f1a5c e84ff9ffff call sym.std::allocator_char_::allocator
| 0x565f1a61 83c410 add esp, 0x10
| 0x565f1a64 83ec04 sub esp, 4
| 0x565f1a67 8d8578ffffff lea eax, [local_88h]
| 0x565f1a6d 50 push eax
| 0x565f1a6e 8d8696e7ffff lea eax, [esi - 0x186a]
| 0x565f1a74 50 push eax
| 0x565f1a75 8d4584 lea eax, [local_7ch]
| 0x565f1a78 50 push eax
| 0x565f1a79 89f3 mov ebx, esi
| 0x565f1a7b e8c0f8ffff call sym.std::__cxx11::basic_string_char_std::char_traits_char__std::allocator_char__::basic_string_charconst__std::allocator_char_const
| 0x565f1a80 83c410 add esp, 0x10
| 0x565f1a83 83ec0c sub esp, 0xc
| 0x565f1a86 8d8578ffffff lea eax, [local_88h]
| 0x565f1a8c 50 push eax
| 0x565f1a8d 89f3 mov ebx, esi
| 0x565f1a8f e85cf8ffff call sym.std::allocator_char_::_allocator
| 0x565f1a94 83c410 add esp, 0x10
| 0x565f1a97 83ec0c sub esp, 0xc
| 0x565f1a9a 8d8578ffffff lea eax, [local_88h]
| 0x565f1aa0 50 push eax
| 0x565f1aa1 89f3 mov ebx, esi
| 0x565f1aa3 e808f9ffff call sym.std::allocator_char_::allocator
| 0x565f1aa8 83c410 add esp, 0x10
| 0x565f1aab 83ec04 sub esp, 4
| 0x565f1aae 8d8578ffffff lea eax, [local_88h]
| 0x565f1ab4 50 push eax
| 0x565f1ab5 8d869be7ffff lea eax, [esi - 0x1865]
| 0x565f1abb 50 push eax
| 0x565f1abc 8d459c lea eax, [local_64h]
| 0x565f1abf 50 push eax
| 0x565f1ac0 89f3 mov ebx, esi
| 0x565f1ac2 e879f8ffff call sym.std::__cxx11::basic_string_char_std::char_traits_char__std::allocator_char__::basic_string_charconst__std::allocator_char_const
| 0x565f1ac7 83c410 add esp, 0x10
| 0x565f1aca 83ec0c sub esp, 0xc
| 0x565f1acd 8d8578ffffff lea eax, [local_88h]
| 0x565f1ad3 50 push eax
| 0x565f1ad4 89f3 mov ebx, esi
| 0x565f1ad6 e815f8ffff call sym.std::allocator_char_::_allocator
| 0x565f1adb 83c410 add esp, 0x10
| 0x565f1ade c7857cffffff. mov dword [local_84h], 0x64 ; 'd' ; 100
| 0x565f1ae8 c74580050000. mov dword [local_80h], 5
| 0x565f1aef c78574ffffff. mov dword [local_8ch], 0xa
| 0x565f1af9 c78578ffffff. mov dword [local_88h], 0xa
| 0x565f1b03 83ec08 sub esp, 8
| 0x565f1b06 8d869ce7ffff lea eax, [esi - 0x1864]
| 0x565f1b0c 50 push eax
| 0x565f1b0d 8b86ac000000 mov eax, dword [esi + 0xac] ; [0xac:4]=-1 ; 172
| 0x565f1b13 50 push eax
| 0x565f1b14 89f3 mov ebx, esi
| 0x565f1b16 e8a5f7ffff call sym.std::basic_ostream_char_std::char_traits_char___std::operator___std::char_traits_char___std::basic_ostream_char_std::char_traits_char____charconst
| 0x565f1b1b 83c410 add esp, 0x10
| 0x565f1b1e 83ec08 sub esp, 8
| 0x565f1b21 8d4584 lea eax, [local_7ch]
| 0x565f1b24 50 push eax
| 0x565f1b25 8b86b4000000 mov eax, dword [esi + 0xb4] ; [0xb4:4]=-1 ; 180
| 0x565f1b2b 50 push eax
| 0x565f1b2c 89f3 mov ebx, esi
| 0x565f1b2e e8fdf7ffff call sym.std::basic_istream_char_std::char_traits_char___std::operator___char_std::char_traits_char__std::allocator_char___std::basic_istream_char_std::char_traits_char____std::__cxx11::basic_string_char_std::char_traits_char__std::allocator_char
| 0x565f1b33 83c410 add esp, 0x10
| 0x565f1b36 8d45b4 lea eax, [local_4ch]
| 0x565f1b39 83ec04 sub esp, 4
| 0x565f1b3c 8d5584 lea edx, [local_7ch]
| 0x565f1b3f 52 push edx
| 0x565f1b40 8d96b9e7ffff lea edx, [esi - 0x1847]
| 0x565f1b46 52 push edx
| 0x565f1b47 50 push eax
| 0x565f1b48 e81c050000 call sym.std::__cxx11::basic_string_char_std::char_traits_char__std::allocator_char__std::operator__char_std::char_traits_char__std::allocator_char___charconst__std::__cxx11::basic_string_char_std::char_traits_char__std::allocator_char__const
| 0x565f1b4d 83c40c add esp, 0xc
| 0x565f1b50 8d45cc lea eax, [local_34h]
| 0x565f1b53 83ec04 sub esp, 4
| 0x565f1b56 8d96c4e7ffff lea edx, [esi - 0x183c]
| 0x565f1b5c 52 push edx
| 0x565f1b5d 8d55b4 lea edx, [local_4ch]
| 0x565f1b60 52 push edx
| 0x565f1b61 50 push eax
| 0x565f1b62 e8ba040000 call sym.std::__cxx11::basic_string_char_std::char_traits_char__std::allocator_char__std::operator__char_std::char_traits_char__std::allocator_char___std::__cxx11::basic_string_char_std::char_traits_char__std::allocator_char_____charconst
| 0x565f1b67 83c40c add esp, 0xc
| 0x565f1b6a 83ec08 sub esp, 8
| 0x565f1b6d 8d45cc lea eax, [local_34h]
| 0x565f1b70 50 push eax
| 0x565f1b71 8b86ac000000 mov eax, dword [esi + 0xac] ; [0xac:4]=-1 ; 172
| 0x565f1b77 50 push eax
| 0x565f1b78 89f3 mov ebx, esi
| 0x565f1b7a e821f7ffff call sym.std::basic_ostream_char_std::char_traits_char___std::operator___char_std::char_traits_char__std::allocator_char___std::basic_ostream_char_std::char_traits_char____std::__cxx11::basic_string_char_std::char_traits_char__std::allocator_char__const
| 0x565f1b7f 83c410 add esp, 0x10
| 0x565f1b82 83ec0c sub esp, 0xc
| 0x565f1b85 8d45cc lea eax, [local_34h]
| 0x565f1b88 50 push eax
| 0x565f1b89 89f3 mov ebx, esi
| 0x565f1b8b e880f6ffff call sym.std::__cxx11::basic_string_char_std::char_traits_char__std::allocator_char__::_basic_string
| 0x565f1b90 83c410 add esp, 0x10
| 0x565f1b93 83ec0c sub esp, 0xc
| 0x565f1b96 8d45b4 lea eax, [local_4ch]
| 0x565f1b99 50 push eax
| 0x565f1b9a 89f3 mov ebx, esi
| 0x565f1b9c e86ff6ffff call sym.std::__cxx11::basic_string_char_std::char_traits_char__std::allocator_char__::_basic_string
| 0x565f1ba1 83c410 add esp, 0x10
| 0x565f1ba4 83ec08 sub esp, 8
| 0x565f1ba7 8d459c lea eax, [local_64h]
| 0x565f1baa 50 push eax
| 0x565f1bab 8b86b4000000 mov eax, dword [esi + 0xb4] ; [0xb4:4]=-1 ; 180
| 0x565f1bb1 50 push eax
| 0x565f1bb2 89f3 mov ebx, esi
| 0x565f1bb4 e877f7ffff call sym.std::basic_istream_char_std::char_traits_char___std::operator___char_std::char_traits_char__std::allocator_char___std::basic_istream_char_std::char_traits_char____std::__cxx11::basic_string_char_std::char_traits_char__std::allocator_char
| 0x565f1bb9 83c410 add esp, 0x10
| 0x565f1bbc 83ec08 sub esp, 8
| 0x565f1bbf 8d862ee8ffff lea eax, [esi - 0x17d2]
| 0x565f1bc5 50 push eax
| 0x565f1bc6 8d459c lea eax, [local_64h]
| 0x565f1bc9 50 push eax
| 0x565f1bca e87d050000 call sym.boolstd::operator___char_std::char_traits_char__std::allocator_char___std::__cxx11::basic_string_char_std::char_traits_char__std::allocator_char__const__charconst
| 0x565f1bcf 83c410 add esp, 0x10
| 0x565f1bd2 84c0 test al, al
| ,=< 0x565f1bd4 751a jne 0x565f1bf0
| | 0x565f1bd6 83ec08 sub esp, 8
| | 0x565f1bd9 8d8630e8ffff lea eax, [esi - 0x17d0]
| | 0x565f1bdf 50 push eax
| | 0x565f1be0 8d459c lea eax, [local_64h]
| | 0x565f1be3 50 push eax
| | 0x565f1be4 e863050000 call sym.boolstd::operator___char_std::char_traits_char__std::allocator_char___std::__cxx11::basic_string_char_std::char_traits_char__std::allocator_char__const__charconst
| | 0x565f1be9 83c410 add esp, 0x10
| | 0x565f1bec 84c0 test al, al
| ,==< 0x565f1bee 7407 je 0x565f1bf7
| |`-> 0x565f1bf0 b801000000 mov eax, 1
| |,=< 0x565f1bf5 eb05 jmp 0x565f1bfc
| `--> 0x565f1bf7 b800000000 mov eax, 0
| | ; CODE XREF from main (0x565f1bf5)
| `-> 0x565f1bfc 84c0 test al, al
| ,=< 0x565f1bfe 7421 je 0x565f1c21
| | 0x565f1c00 83ec04 sub esp, 4
| | 0x565f1c03 8d8578ffffff lea eax, [local_88h]
| | 0x565f1c09 50 push eax
| | 0x565f1c0a 8d8574ffffff lea eax, [local_8ch]
| | 0x565f1c10 50 push eax
| | 0x565f1c11 ff7580 push dword [local_80h]
| | 0x565f1c14 e824f9ffff call sym.fight_int_int__int
| | 0x565f1c19 83c410 add esp, 0x10
| ,==< 0x565f1c1c e9aa000000 jmp 0x565f1ccb
| |`-> 0x565f1c21 83ec08 sub esp, 8
| | 0x565f1c24 8d8632e8ffff lea eax, [esi - 0x17ce]
| | 0x565f1c2a 50 push eax
| | 0x565f1c2b 8d459c lea eax, [local_64h]
| | 0x565f1c2e 50 push eax
| | 0x565f1c2f e818050000 call sym.boolstd::operator___char_std::char_traits_char__std::allocator_char___std::__cxx11::basic_string_char_std::char_traits_char__std::allocator_char__const__charconst
| | 0x565f1c34 83c410 add esp, 0x10
| | 0x565f1c37 84c0 test al, al
| |,=< 0x565f1c39 751a jne 0x565f1c55
| || 0x565f1c3b 83ec08 sub esp, 8
| || 0x565f1c3e 8d8634e8ffff lea eax, [esi - 0x17cc]
| || 0x565f1c44 50 push eax
| || 0x565f1c45 8d459c lea eax, [local_64h]
| || 0x565f1c48 50 push eax
| || 0x565f1c49 e8fe040000 call sym.boolstd::operator___char_std::char_traits_char__std::allocator_char___std::__cxx11::basic_string_char_std::char_traits_char__std::allocator_char__const__charconst
| || 0x565f1c4e 83c410 add esp, 0x10
| || 0x565f1c51 84c0 test al, al
| ,===< 0x565f1c53 7407 je 0x565f1c5c
| ||`-> 0x565f1c55 b801000000 mov eax, 1
| ||,=< 0x565f1c5a eb05 jmp 0x565f1c61
| `---> 0x565f1c5c b800000000 mov eax, 0
| || ; CODE XREF from main (0x565f1c5a)
| |`-> 0x565f1c61 84c0 test al, al
| |,=< 0x565f1c63 7434 je 0x565f1c99
| || 0x565f1c65 83ec08 sub esp, 8
| || 0x565f1c68 8d8638e8ffff lea eax, [esi - 0x17c8]
| || 0x565f1c6e 50 push eax
| || 0x565f1c6f 8b86ac000000 mov eax, dword [esi + 0xac] ; [0xac:4]=-1 ; 172
| || 0x565f1c75 50 push eax
| || 0x565f1c76 89f3 mov ebx, esi
| || 0x565f1c78 e843f6ffff call sym.std::basic_ostream_char_std::char_traits_char___std::operator___std::char_traits_char___std::basic_ostream_char_std::char_traits_char____charconst
| || 0x565f1c7d 83c410 add esp, 0x10
| || 0x565f1c80 89c2 mov edx, eax
| || 0x565f1c82 83ec08 sub esp, 8
| || 0x565f1c85 8b86a4000000 mov eax, dword [esi + 0xa4] ; [0xa4:4]=-1 ; 164
| || 0x565f1c8b 50 push eax
| || 0x565f1c8c 52 push edx
| || 0x565f1c8d 89f3 mov ebx, esi
| || 0x565f1c8f e83cf6ffff call sym.std::ostream::operator___std::ostream_____std::ostream
| || 0x565f1c94 83c410 add esp, 0x10
| ,===< 0x565f1c97 eb32 jmp 0x565f1ccb
| ||`-> 0x565f1c99 83ec08 sub esp, 8
| || 0x565f1c9c 8d8658e8ffff lea eax, [esi - 0x17a8]
| || 0x565f1ca2 50 push eax
| || 0x565f1ca3 8b86ac000000 mov eax, dword [esi + 0xac] ; [0xac:4]=-1 ; 172
| || 0x565f1ca9 50 push eax
| || 0x565f1caa 89f3 mov ebx, esi
| || 0x565f1cac e80ff6ffff call sym.std::basic_ostream_char_std::char_traits_char___std::operator___std::char_traits_char___std::basic_ostream_char_std::char_traits_char____charconst
| || 0x565f1cb1 83c410 add esp, 0x10
| || 0x565f1cb4 89c2 mov edx, eax
| || 0x565f1cb6 83ec08 sub esp, 8
| || 0x565f1cb9 8b86a4000000 mov eax, dword [esi + 0xa4] ; [0xa4:4]=-1 ; 164
| || 0x565f1cbf 50 push eax
| || 0x565f1cc0 52 push edx
| || 0x565f1cc1 89f3 mov ebx, esi
| || 0x565f1cc3 e808f6ffff call sym.std::ostream::operator___std::ostream_____std::ostream
| || 0x565f1cc8 83c410 add esp, 0x10
| || ; CODE XREFS from main (0x565f1c1c, 0x565f1c97)
| ``--> 0x565f1ccb bf00000000 mov edi, 0
| 0x565f1cd0 83ec0c sub esp, 0xc
| 0x565f1cd3 8d459c lea eax, [local_64h]
| 0x565f1cd6 50 push eax
| 0x565f1cd7 89f3 mov ebx, esi
| 0x565f1cd9 e832f5ffff call sym.std::__cxx11::basic_string_char_std::char_traits_char__std::allocator_char__::_basic_string
| 0x565f1cde 83c410 add esp, 0x10
| 0x565f1ce1 83ec0c sub esp, 0xc
| 0x565f1ce4 8d4584 lea eax, [local_7ch]
| 0x565f1ce7 50 push eax
| 0x565f1ce8 89f3 mov ebx, esi
| 0x565f1cea e821f5ffff call sym.std::__cxx11::basic_string_char_std::char_traits_char__std::allocator_char__::_basic_string
| 0x565f1cef 83c410 add esp, 0x10
| 0x565f1cf2 89f8 mov eax, edi
| 0x565f1cf4 8b4de4 mov ecx, dword [local_1ch]
| 0x565f1cf7 65330d140000. xor ecx, dword gs:[0x14]
| ,=< 0x565f1cfe 0f84a0000000 je 0x565f1da4
| ,==< 0x565f1d04 e996000000 jmp 0x565f1d9f
..
| || ; CODE XREF from main (0x565f1d04)
| `--> 0x565f1d9f e87c070000 call sym.__stack_chk_fail_local ; void __stack_chk_fail(void)
| `-> 0x565f1da4 8d65f0 lea esp, [local_10h]
| 0x565f1da7 59 pop ecx
| 0x565f1da8 5b pop ebx
| 0x565f1da9 5e pop esi
| 0x565f1daa 5f pop edi
| 0x565f1dab 5d pop ebp
| 0x565f1dac 8d61fc lea esp, [ecx - 4]
\ 0x565f1daf c3 ret
我真的很感谢你抽出时间,欢迎任何输入!
使用 .cpp 源更新
#include <iostream>
#include <string>
using namespace std;
void fight(int pDmg, int &gold, int &mHp) {
bool mDead = false;
cout << "You approach the huge beast slowly..." << endl;
cout << "Drawing your sword and gitting your teeth you charge!" << endl;
for(int i = 0; i < 5; i++) {
cout << "You deal " + to_string(pDmg) + " damage!" << endl;
mHp -= pDmg;
cout << "The monster has " + to_string(mHp) + " remaining health!" << endl;
if(mHp <= 0) {
mDead = true;
break;
}
}
if(mDead) {
cout << "You have defeated the beast!" << endl;
cout << "You loot his corpse to find 10 gold" << endl;
gold += 10;
cout << "You now have " + to_string(gold) + " gold!" << endl;
cout << "Great job! Game Over..." << endl;
} else {
cout << "The monster swings out and hits you with his gigantic club" << endl;
cout << "You have been knocked out and failed to protect the city!" << endl;
}
}
int main(int argc, char*argv[]) {
string name = "Hero";
string choice = "";
int playerHp = 100;
int playerDmg = 5;
int gold = 10;
int monsterHp = 10;
cout << "Enter your name brave hero: ";
cin >> name;
cout << "Welcome " + name + ", we need your help! There is a big monster terrorizing the city, are you up for the challenge? (y or n) ";
cin >> choice;
if(choice == "y" || choice == "Y") {
fight(playerDmg, gold, monsterHp);
} else if(choice == "n" || choice == "N") {
cout << "I suppose we are doomed!!!!!!!!" << endl;
} else {
cout << "Well at least you could have given me a respectable answer!" << endl;
}
return 0;
}