逆向工程 - 此处实际加载的内容以及 util-linux hexdump 以及刀具和 ghidra 的 hexdump 上的不同 hexdump 输出 - 吾爱随笔录

我试图了解 phdr 数组上的第四个 LOAD 标头加载了哪个文件段。下面显示了 readelf 的前 6 个标题

 Program Headers:
  Type           Offset             VirtAddr           PhysAddr
                 FileSiz            MemSiz              Flags  Align
  PHDR           0x0000000000000040 0x0000000000000040 0x0000000000000040
                 0x0000000000000268 0x0000000000000268  R      0x8
  INTERP         0x00000000000002a8 0x00000000000002a8 0x00000000000002a8
                 0x000000000000001c 0x000000000000001c  R      0x1
      [Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]
  LOAD           0x0000000000000000 0x0000000000000000 0x0000000000000000 //file portion till .text
                 0x00000000000006c0 0x00000000000006c0  R      0x1000
  LOAD           0x0000000000001000 0x0000000000001000 0x0000000000001000 //.text
                 0x00000000000003c5 0x00000000000003c5  R E    0x1000
  LOAD           0x0000000000002000 0x0000000000002000 0x0000000000002000 //.rodata,.eh_frame_hdr,.eh_frame
                 0x0000000000000170 0x0000000000000170  R      0x1000
  LOAD           0x0000000000002de8 0x0000000000003de8 0x0000000000003de8
                 0x0000000000000270 0x00000000000002d8  RW     0x1000

在 ghidra 和刀具拆卸中完全不存在 offset 和 filesiz 之间的内存范围，并用“ff”填充，并在刀具 hexdump 中显示为无效。但是，当我在我的终端上使用 hexdump 时，它没有像刀具所示那样用“ff”填充

00002df0  e0 10 00 00 00 00 00 00  01 00 00 00 00 00 00 00  |................|
00002e00  01 00 00 00 00 00 00 00  0c 00 00 00 00 00 00 00  |................|
00002e10  00 10 00 00 00 00 00 00  0d 00 00 00 00 00 00 00  |................|
00002e20  d8 11 00 00 00 00 00 00  19 00 00 00 00 00 00 00  |................|
00002e30  e8 3d 00 00 00 00 00 00  1b 00 00 00 00 00 00 00  |.=..............|
00002e40  08 00 00 00 00 00 00 00  1a 00 00 00 00 00 00 00  |................|
00002e50  f0 3d 00 00 00 00 00 00  1c 00 00 00 00 00 00 00  |.=..............|
00002e60  08 00 00 00 00 00 00 00  f5 fe ff 6f 00 00 00 00  |...........o....|
00002e70  08 03 00 00 00 00 00 00  05 00 00 00 00 00 00 00  |................|
00002e80  d0 03 00 00 00 00 00 00  06 00 00 00 00 00 00 00  |................|
00002e90  28 03 00 00 00 00 00 00  0a 00 00 00 00 00 00 00  |(...............|
00002ea0  84 00 00 00 00 00 00 00  0b 00 00 00 00 00 00 00  |................|
00002eb0  18 00 00 00 00 00 00 00  15 00 00 00 00 00 00 00  |................|
00002ec0  00 00 00 00 00 00 00 00  03 00 00 00 00 00 00 00  |................|
00002ed0  00 40 00 00 00 00 00 00  02 00 00 00 00 00 00 00  |.@..............|
00002ee0  18 00 00 00 00 00 00 00  14 00 00 00 00 00 00 00  |................|
00002ef0  07 00 00 00 00 00 00 00  17 00 00 00 00 00 00 00  |................|
00002f00  48 05 00 00 00 00 00 00  07 00 00 00 00 00 00 00  |H...............|
00002f10  88 04 00 00 00 00 00 00  08 00 00 00 00 00 00 00  |................|
00002f20  c0 00 00 00 00 00 00 00  09 00 00 00 00 00 00 00  |................|
00002f30  18 00 00 00 00 00 00 00  fb ff ff 6f 00 00 00 00  |...........o....|

-->disassembly from cutter
            0x00002de8      invalid
            0x00002de9      invalid
            0x00002dea      invalid
            0x00002deb      invalid
            0x00002dec      invalid
            0x00002ded      invalid
            :and this continues till 0x00003de7

为什么有区别？第四个 LOAD 实际加载了什么？

我正在反汇编的程序是一个简单的hello world程序

#include<stdio.h>
int main()
{
    printf("hello");
}

使用 gcc 版本 9.1.0 (GCC) 编译