linux 反汇编分析变量地址并用gdb修改运行中的程序内存变量实验

准备样本文件：

a.c

#include <stdio.h>
#include <unistd.h>

unsigned int a=0xFFFFFFFF;
unsigned int b=0xEEEEEEEE;

void main(){
while(1){
printf("%x, %x\n", a, b);
sleep(1);
}
}

编译可执行程序：

gcc -g a.c

运行a.out输出:

$ ./a.out
ffffffff, eeeeeeee
ffffffff, eeeeeeee
ffffffff, eeeeeeee
ffffffff, eeeeeeee
ffffffff, eeeeeeee

开始分析变量a

1. gcc反汇编a.out

$ objdump -D a.out > a.S

2. 查看main函数反汇编代码

0000000000400586 <main>:
400586:       55                      push   %rbp
400587:       48 89 e5                mov    %rsp,%rbp
40058a:       8b 15 b0 0a 20 00       mov    0x200ab0(%rip),%edx        # 601040 <b>
400590:       8b 05 a6 0a 20 00       mov    0x200aa6(%rip),%eax        # 60103c <a>
400596:       89 c6                   mov    %eax,%esi
400598:       bf 50 06 40 00          mov    $0x400650,%edi
40059d:       b8 00 00 00 00          mov    $0x0,%eax
4005a2:       e8 a9 fe ff ff          callq  400450 <printf@plt>
4005a7:       bf 01 00 00 00          mov    $0x1,%edi
4005ac:       e8 cf fe ff ff          callq  400480 <sleep@plt>
4005b1:       eb d7                   jmp    40058a <main+0x4>
4005b3:       66 2e 0f 1f 84 00 00    nopw   %cs:0x0(%rax,%rax,1)
4005ba:       00 00 00
4005bd:       0f 1f 00                nopl   (%rax)

或者直接看.data段

Disassembly of section .data:

0000000000601038 <__data_start>:
601038:       00 00                   add    %al,(%rax)
...

000000000060103c <a>:
60103c:       ff                      (bad)
60103d:       ff                      (bad)
60103e:       ff                      (bad)
60103f:       ff                      (bad)

0000000000601040 <b>:
601040:       ee                      out    %al,(%dx)
601041:       ee                      out    %al,(%dx)
601042:       ee                      out    %al,(%dx)
601043:       ee                      out    %al,(%dx)

得到变量a地址：60103c

3. 得到进程id：

$ ps aux | grep a.out
yeqiang  22726  0.0  0.0   4172   688 pts/10   S+   17:00   0:00 ./a.out

4. gdb 调式改进程,直接修改内存数据

$ gdb -p 22726
GNU gdb (GDB) Fedora 7.9.1-20.fc22
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
Attaching to process 22726
Reading symbols from /tmp/a.out...done.
Reading symbols from /lib64/libc.so.6...Reading symbols from /usr/lib/debug/usr/lib64/libc-2.21.so.debug...done.
done.
Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug/usr/lib64/ld-2.21.so.debug...done.
done.
0x00007fd7f0192d20 in __nanosleep_nocancel ()
at ../sysdeps/unix/syscall-template.S:81
81	T_PSEUDO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
(gdb) p/x *0x60103c
$3 = 0xffffffff
(gdb) set *0x60103c=1
(gdb) c
Continuing.

5. 观察程序输出：

ffffffff, eeeeeeee
ffffffff, eeeeeeee
ffffffff, eeeeeeee
ffffffff, eeeeeeee
ffffffff, eeeeeeee
ffffffff, eeeeeeee
1, eeeeeeee
1, eeeeeeee
1, eeeeeeee
1, eeeeeeee
1, eeeeeeee
1, eeeeeeee
1, eeeeeeee
1, eeeeeeee
1, eeeeeeee

搞定。