使用 Ropper 找出 rop gadgets 在内存中实际加载的位置
Find out where rop gadgets are actually loaded in memory using Ropper
我正在研究 Arm64 上的 ROP,我在这里发布了我的主题
但是出现了关于选择 rop 小工具的 new/separate 问题,需要打开一个新线程。综上所述,我正在研究 ARM 64 位上的 ROP 漏洞,并且我正在尝试使用非常简单的 C 代码(附加到上一个线程)对其进行测试。
我正在使用 ropper 工具来搜索小工具来构建我的 rop 链。但是当我用小工具的地址溢出 pc 时,我在 gdb 中得到了这个:
[!] Cannot disassemble from $PC
[!] Cannot access memory at address 0x8f8
stopped 0x8f8 in ?? ()
我用 0x00000000000008f8 小工具溢出了电脑,但它不可能是加载到内存中的实际地址。
这是我使用 ropper 获得的 rop gadgets 列表:
0x0000000000000858: add x0, sp, #0x10; bl #0x6e0; nop; ldp x29, x30, [sp], #0x60; ret;
0x0000000000000828: add x0, x0, #0x930; bl #0x6c0; nop; ldp x29, x30, [sp], #0x20; ret;
0x0000000000000688: add x16, x16, #0; br x17;
0x00000000000006a8: add x16, x16, #0x10; br x17;
0x00000000000006b8: add x16, x16, #0x18; br x17;
0x00000000000006c8: add x16, x16, #0x20; br x17;
0x00000000000006d8: add x16, x16, #0x28; br x17;
0x00000000000006e8: add x16, x16, #0x30; br x17;
0x000000000000066c: add x16, x16, #0xff8; br x17;
0x0000000000000698: add x16, x16, #8; br x17;
0x00000000000008e0: add x19, x19, #1; mov x1, x23; mov w0, w22; blr x3;
0x0000000000000824: adrp x0, #0; add x0, x0, #0x930; bl #0x6c0; nop; ldp x29, x30, [sp], #0x20; ret;
0x0000000000000728: adrp x0, #0x10000; ldr x0, [x0, #0xfc8]; cbz x0, #0x738; b #0x6a0; ret;
0x0000000000000758: adrp x1, #0x10000; ldr x1, [x1, #0xfb8]; cbz x1, #0x76c; mov x16, x1; br x16;
0x0000000000000758: adrp x1, #0x10000; ldr x1, [x1, #0xfb8]; cbz x1, #0x76c; mov x16, x1; br x16; ret;
0x0000000000000664: adrp x16, #0x10000; ldr x17, [x16, #0xff8]; add x16, x16, #0xff8; br x17;
0x00000000000006a0: adrp x16, #0x11000; ldr x17, [x16, #0x10]; add x16, x16, #0x10; br x17;
0x00000000000006b0: adrp x16, #0x11000; ldr x17, [x16, #0x18]; add x16, x16, #0x18; br x17;
0x00000000000006c0: adrp x16, #0x11000; ldr x17, [x16, #0x20]; add x16, x16, #0x20; br x17;
0x00000000000006d0: adrp x16, #0x11000; ldr x17, [x16, #0x28]; add x16, x16, #0x28; br x17;
0x00000000000006e0: adrp x16, #0x11000; ldr x17, [x16, #0x30]; add x16, x16, #0x30; br x17;
0x0000000000000690: adrp x16, #0x11000; ldr x17, [x16, #8]; add x16, x16, #8; br x17;
0x0000000000000680: adrp x16, #0x11000; ldr x17, [x16]; add x16, x16, #0; br x17;
0x0000000000000794: adrp x2, #0x10000; ldr x2, [x2, #0xfe0]; cbz x2, #0x7a8; mov x16, x2; br x16;
0x0000000000000794: adrp x2, #0x10000; ldr x2, [x2, #0xfe0]; cbz x2, #0x7a8; mov x16, x2; br x16; ret;
0x0000000000000734: b #0x6a0; ret;
0x0000000000000754: b.eq #0x76c; adrp x1, #0x10000; ldr x1, [x1, #0xfb8]; cbz x1, #0x76c; mov x16, x1; br x16;
0x00000000000008f4: b.ne #0x8d8; ldp x19, x20, [sp, #0x10]; ldp x21, x22, [sp, #0x20]; ldp x23, x24, [sp, #0x30]; ldp x29, x30, [sp], #0x40; ret;
0x0000000000000724: bl #0x6b0; adrp x0, #0x10000; ldr x0, [x0, #0xfc8]; cbz x0, #0x738; b #0x6a0; ret;
0x000000000000082c: bl #0x6c0; nop; ldp x29, x30, [sp], #0x20; ret;
0x0000000000000854: bl #0x6d0; add x0, sp, #0x10; bl #0x6e0; nop; ldp x29, x30, [sp], #0x60; ret;
0x000000000000085c: bl #0x6e0; nop; ldp x29, x30, [sp], #0x60; ret;
0x0000000000000648: bl #0x728; ldp x29, x30, [sp], #0x10; ret;
0x00000000000007e0: bl #0x740; movz w0, #0x1; strb w0, [x19, #0x48]; ldr x19, [sp, #0x10]; ldp x29, x30, [sp], #0x20; ret;
0x000000000000087c: bl #0x83c; movz w0, #0; ldp x29, x30, [sp], #0x20; ret;
0x00000000000008ec: blr x3;
0x0000000000000768: br x16;
0x0000000000000768: br x16; ret;
0x0000000000000670: br x17;
0x0000000000000730: cbz x0, #0x738; b #0x6a0; ret;
0x0000000000000760: cbz x1, #0x76c; mov x16, x1; br x16;
0x0000000000000760: cbz x1, #0x76c; mov x16, x1; br x16; ret;
0x0000000000000790: cbz x1, #0x7a8; adrp x2, #0x10000; ldr x2, [x2, #0xfe0]; cbz x2, #0x7a8; mov x16, x2; br x16;
0x000000000000079c: cbz x2, #0x7a8; mov x16, x2; br x16;
0x000000000000079c: cbz x2, #0x7a8; mov x16, x2; br x16; ret;
0x00000000000008f8: ldp x19, x20, [sp, #0x10]; ldp x21, x22, [sp, #0x20]; ldp x23, x24, [sp, #0x30]; ldp x29, x30, [sp], #0x40; ret;
0x00000000000008fc: ldp x21, x22, [sp, #0x20]; ldp x23, x24, [sp, #0x30]; ldp x29, x30, [sp], #0x40; ret;
0x0000000000000900: ldp x23, x24, [sp, #0x30]; ldp x29, x30, [sp], #0x40; ret;
0x000000000000064c: ldp x29, x30, [sp], #0x10; ret;
0x00000000000007f0: ldp x29, x30, [sp], #0x20; ret;
0x0000000000000904: ldp x29, x30, [sp], #0x40; ret;
0x0000000000000864: ldp x29, x30, [sp], #0x60; ret;
0x000000000000072c: ldr x0, [x0, #0xfc8]; cbz x0, #0x738; b #0x6a0; ret;
0x000000000000075c: ldr x1, [x1, #0xfb8]; cbz x1, #0x76c; mov x16, x1; br x16;
0x000000000000075c: ldr x1, [x1, #0xfb8]; cbz x1, #0x76c; mov x16, x1; br x16; ret;
0x00000000000006a4: ldr x17, [x16, #0x10]; add x16, x16, #0x10; br x17;
0x00000000000006b4: ldr x17, [x16, #0x18]; add x16, x16, #0x18; br x17;
0x00000000000006c4: ldr x17, [x16, #0x20]; add x16, x16, #0x20; br x17;
0x00000000000006d4: ldr x17, [x16, #0x28]; add x16, x16, #0x28; br x17;
0x00000000000006e4: ldr x17, [x16, #0x30]; add x16, x16, #0x30; br x17;
0x0000000000000668: ldr x17, [x16, #0xff8]; add x16, x16, #0xff8; br x17;
0x0000000000000694: ldr x17, [x16, #8]; add x16, x16, #8; br x17;
0x0000000000000684: ldr x17, [x16]; add x16, x16, #0; br x17;
0x00000000000007ec: ldr x19, [sp, #0x10]; ldp x29, x30, [sp], #0x20; ret;
0x0000000000000798: ldr x2, [x2, #0xfe0]; cbz x2, #0x7a8; mov x16, x2; br x16;
0x0000000000000798: ldr x2, [x2, #0xfe0]; cbz x2, #0x7a8; mov x16, x2; br x16; ret;
0x00000000000008d8: ldr x3, [x21, x19, lsl #3]; mov x2, x24; add x19, x19, #1; mov x1, x23; mov w0, w22; blr x3;
0x00000000000008e8: mov w0, w22; blr x3;
0x00000000000008e4: mov x1, x23; mov w0, w22; blr x3;
0x0000000000000764: mov x16, x1; br x16;
0x0000000000000764: mov x16, x1; br x16; ret;
0x00000000000007a0: mov x16, x2; br x16;
0x00000000000007a0: mov x16, x2; br x16; ret;
0x00000000000008dc: mov x2, x24; add x19, x19, #1; mov x1, x23; mov w0, w22; blr x3;
0x0000000000000644: mov x29, sp; bl #0x728; ldp x29, x30, [sp], #0x10; ret;
0x0000000000000918: mov x29, sp; ldp x29, x30, [sp], #0x10; ret;
0x0000000000000880: movz w0, #0; ldp x29, x30, [sp], #0x20; ret;
0x00000000000007e4: movz w0, #0x1; strb w0, [x19, #0x48]; ldr x19, [sp, #0x10]; ldp x29, x30, [sp], #0x20; ret;
0x0000000000000660: stp x16, x30, [sp, #-0x10]!; adrp x16, #0x10000; ldr x17, [x16, #0xff8]; add x16, x16, #0xff8; br x17;
0x0000000000000640: stp x29, x30, [sp, #-0x10]!; mov x29, sp; bl #0x728; ldp x29, x30, [sp], #0x10; ret;
0x0000000000000914: stp x29, x30, [sp, #-0x10]!; mov x29, sp; ldp x29, x30, [sp], #0x10; ret;
0x0000000000000874: str w0, [sp, #0x1c]; str x1, [sp, #0x10]; bl #0x83c; movz w0, #0; ldp x29, x30, [sp], #0x20; ret;
0x0000000000000878: str x1, [sp, #0x10]; bl #0x83c; movz w0, #0; ldp x29, x30, [sp], #0x20; ret;
0x00000000000007e8: strb w0, [x19, #0x48]; ldr x19, [sp, #0x10]; ldp x29, x30, [sp], #0x20; ret;
0x000000000000067c: nop; adrp x16, #0x11000; ldr x17, [x16]; add x16, x16, #0; br x17;
0x0000000000000830: nop; ldp x29, x30, [sp], #0x20; ret;
0x0000000000000860: nop; ldp x29, x30, [sp], #0x60; ret;
0x0000000000000678: nop; nop; adrp x16, #0x11000; ldr x17, [x16]; add x16, x16, #0; br x17;
0x000000000000090c: nop; ret;
0x0000000000000650: ret;
我尤其对 0x00000000000008f8 和 0x00000000000008d8 小工具感兴趣。
Elf 文件类型为 DYN(共享对象文件)
入口点 0x6f0
有 9 个程序头,从偏移量 64
开始
查找ELF文件基地址的命令readelf -l的输出为:
Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
PHDR 0x0000000000000040 0x0000000000000040 0x0000000000000040
0x00000000000001f8 0x00000000000001f8 R 0x8
INTERP 0x0000000000000238 0x0000000000000238 0x0000000000000238
0x000000000000001b 0x000000000000001b R 0x1
[Requesting program interpreter: /lib/ld-linux-aarch64.so.1]
LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000adc 0x0000000000000adc R E 0x10000
LOAD 0x0000000000000db8 0x0000000000010db8 0x0000000000010db8
0x0000000000000290 0x0000000000000298 RW 0x10000
DYNAMIC 0x0000000000000dc8 0x0000000000010dc8 0x0000000000010dc8
0x00000000000001e0 0x00000000000001e0 RW 0x8
NOTE 0x0000000000000254 0x0000000000000254 0x0000000000000254
0x0000000000000044 0x0000000000000044 R 0x4
GNU_EH_FRAME 0x0000000000000960 0x0000000000000960 0x0000000000000960
0x0000000000000054 0x0000000000000054 R 0x4
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 RW 0x10
GNU_RELRO 0x0000000000000db8 0x0000000000010db8 0x0000000000010db8
0x0000000000000248 0x0000000000000248 R 0x1
Section to Segment mapping:
Segment Sections...
00
01 .interp
02 .interp .note.gnu.build-id .note.ABI-tag .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame
03 .init_array .fini_array .dynamic .got .got.plt .data .bss
04 .dynamic
05 .note.gnu.build-id .note.ABI-tag
06 .eh_frame_hdr
07
08 .init_array .fini_array .dynamic .got
gdb 中 info proc mappings 的输出是:
Start Addr End Addr Size Offset objfile
0x5555555000 0x5555556000 0x1000 0x0 path_to _binary/binary_name
0x5555565000 0x5555566000 0x1000 0x0 path_to _binary/binary_name
0x5555566000 0x5555567000 0x1000 0x1000 path_to _binary/binary_name
0x7ff7e44000 0x7ff7fa1000 0x15d000 0x0 /usr/lib/aarch64-linux-gnu/libc-2.31.so
0x7ff7fa1000 0x7ff7fb1000 0x10000 0x15d000 /usr/lib/aarch64-linux-gnu/libc-2.31.so
0x7ff7fb1000 0x7ff7fb4000 0x3000 0x15d000 /usr/lib/aarch64-linux-gnu/libc-2.31.so
0x7ff7fb4000 0x7ff7fb7000 0x3000 0x160000 /usr/lib/aarch64-linux-gnu/libc-2.31.so
0x7ff7fb7000 0x7ff7fba000 0x3000 0x0
0x7ff7fcc000 0x7ff7fed000 0x21000 0x0 /usr/lib/aarch64-linux-gnu/ld-2.31.so
0x7ff7ff9000 0x7ff7ffb000 0x2000 0x0
0x7ff7ffb000 0x7ff7ffc000 0x1000 0x0 [vvar]
0x7ff7ffc000 0x7ff7ffd000 0x1000 0x0 [vdso]
0x7ff7ffd000 0x7ff7ffe000 0x1000 0x21000 /usr/lib/aarch64-linux-gnu/ld-2.31.so
0x7ff7ffe000 0x7ff8000000 0x2000 0x22000 /usr/lib/aarch64-linux-gnu/ld-2.31.so
0x7ffffdf000 0x8000000000 0x21000 0x0 [stack]
我如何找出小工具实际加载到内存中的位置?是这个问题吗?哪个 ropper 在报告?
您的小工具位于 0x55555558f8。
Ropper 以 ELF header 描述二进制文件内存布局的方式显示小工具的地址。根据 header:
- 文件内容 0x0-0xadc 将映射为地址 0x0 处的
r-x。
- 文件内容 0xdb8-0x1048 将映射为
rw- 地址 0x10db8.
考虑到页面边界,您将获得一页映射文件偏移量 0x0 到地址 0x0 的可执行文件和两页映射文件偏移量 0x0 到地址 0x10000 的可写文件。
从您的 GDB 转储中,这些映射分别在实时进程中的 0x5555555000 和 0x5555565000 处创建。
我正在研究 Arm64 上的 ROP,我在这里发布了我的主题
但是出现了关于选择 rop 小工具的 new/separate 问题,需要打开一个新线程。综上所述,我正在研究 ARM 64 位上的 ROP 漏洞,并且我正在尝试使用非常简单的 C 代码(附加到上一个线程)对其进行测试。 我正在使用 ropper 工具来搜索小工具来构建我的 rop 链。但是当我用小工具的地址溢出 pc 时,我在 gdb 中得到了这个:
[!] Cannot disassemble from $PC
[!] Cannot access memory at address 0x8f8
stopped 0x8f8 in ?? ()
我用 0x00000000000008f8 小工具溢出了电脑,但它不可能是加载到内存中的实际地址。
这是我使用 ropper 获得的 rop gadgets 列表:
0x0000000000000858: add x0, sp, #0x10; bl #0x6e0; nop; ldp x29, x30, [sp], #0x60; ret;
0x0000000000000828: add x0, x0, #0x930; bl #0x6c0; nop; ldp x29, x30, [sp], #0x20; ret;
0x0000000000000688: add x16, x16, #0; br x17;
0x00000000000006a8: add x16, x16, #0x10; br x17;
0x00000000000006b8: add x16, x16, #0x18; br x17;
0x00000000000006c8: add x16, x16, #0x20; br x17;
0x00000000000006d8: add x16, x16, #0x28; br x17;
0x00000000000006e8: add x16, x16, #0x30; br x17;
0x000000000000066c: add x16, x16, #0xff8; br x17;
0x0000000000000698: add x16, x16, #8; br x17;
0x00000000000008e0: add x19, x19, #1; mov x1, x23; mov w0, w22; blr x3;
0x0000000000000824: adrp x0, #0; add x0, x0, #0x930; bl #0x6c0; nop; ldp x29, x30, [sp], #0x20; ret;
0x0000000000000728: adrp x0, #0x10000; ldr x0, [x0, #0xfc8]; cbz x0, #0x738; b #0x6a0; ret;
0x0000000000000758: adrp x1, #0x10000; ldr x1, [x1, #0xfb8]; cbz x1, #0x76c; mov x16, x1; br x16;
0x0000000000000758: adrp x1, #0x10000; ldr x1, [x1, #0xfb8]; cbz x1, #0x76c; mov x16, x1; br x16; ret;
0x0000000000000664: adrp x16, #0x10000; ldr x17, [x16, #0xff8]; add x16, x16, #0xff8; br x17;
0x00000000000006a0: adrp x16, #0x11000; ldr x17, [x16, #0x10]; add x16, x16, #0x10; br x17;
0x00000000000006b0: adrp x16, #0x11000; ldr x17, [x16, #0x18]; add x16, x16, #0x18; br x17;
0x00000000000006c0: adrp x16, #0x11000; ldr x17, [x16, #0x20]; add x16, x16, #0x20; br x17;
0x00000000000006d0: adrp x16, #0x11000; ldr x17, [x16, #0x28]; add x16, x16, #0x28; br x17;
0x00000000000006e0: adrp x16, #0x11000; ldr x17, [x16, #0x30]; add x16, x16, #0x30; br x17;
0x0000000000000690: adrp x16, #0x11000; ldr x17, [x16, #8]; add x16, x16, #8; br x17;
0x0000000000000680: adrp x16, #0x11000; ldr x17, [x16]; add x16, x16, #0; br x17;
0x0000000000000794: adrp x2, #0x10000; ldr x2, [x2, #0xfe0]; cbz x2, #0x7a8; mov x16, x2; br x16;
0x0000000000000794: adrp x2, #0x10000; ldr x2, [x2, #0xfe0]; cbz x2, #0x7a8; mov x16, x2; br x16; ret;
0x0000000000000734: b #0x6a0; ret;
0x0000000000000754: b.eq #0x76c; adrp x1, #0x10000; ldr x1, [x1, #0xfb8]; cbz x1, #0x76c; mov x16, x1; br x16;
0x00000000000008f4: b.ne #0x8d8; ldp x19, x20, [sp, #0x10]; ldp x21, x22, [sp, #0x20]; ldp x23, x24, [sp, #0x30]; ldp x29, x30, [sp], #0x40; ret;
0x0000000000000724: bl #0x6b0; adrp x0, #0x10000; ldr x0, [x0, #0xfc8]; cbz x0, #0x738; b #0x6a0; ret;
0x000000000000082c: bl #0x6c0; nop; ldp x29, x30, [sp], #0x20; ret;
0x0000000000000854: bl #0x6d0; add x0, sp, #0x10; bl #0x6e0; nop; ldp x29, x30, [sp], #0x60; ret;
0x000000000000085c: bl #0x6e0; nop; ldp x29, x30, [sp], #0x60; ret;
0x0000000000000648: bl #0x728; ldp x29, x30, [sp], #0x10; ret;
0x00000000000007e0: bl #0x740; movz w0, #0x1; strb w0, [x19, #0x48]; ldr x19, [sp, #0x10]; ldp x29, x30, [sp], #0x20; ret;
0x000000000000087c: bl #0x83c; movz w0, #0; ldp x29, x30, [sp], #0x20; ret;
0x00000000000008ec: blr x3;
0x0000000000000768: br x16;
0x0000000000000768: br x16; ret;
0x0000000000000670: br x17;
0x0000000000000730: cbz x0, #0x738; b #0x6a0; ret;
0x0000000000000760: cbz x1, #0x76c; mov x16, x1; br x16;
0x0000000000000760: cbz x1, #0x76c; mov x16, x1; br x16; ret;
0x0000000000000790: cbz x1, #0x7a8; adrp x2, #0x10000; ldr x2, [x2, #0xfe0]; cbz x2, #0x7a8; mov x16, x2; br x16;
0x000000000000079c: cbz x2, #0x7a8; mov x16, x2; br x16;
0x000000000000079c: cbz x2, #0x7a8; mov x16, x2; br x16; ret;
0x00000000000008f8: ldp x19, x20, [sp, #0x10]; ldp x21, x22, [sp, #0x20]; ldp x23, x24, [sp, #0x30]; ldp x29, x30, [sp], #0x40; ret;
0x00000000000008fc: ldp x21, x22, [sp, #0x20]; ldp x23, x24, [sp, #0x30]; ldp x29, x30, [sp], #0x40; ret;
0x0000000000000900: ldp x23, x24, [sp, #0x30]; ldp x29, x30, [sp], #0x40; ret;
0x000000000000064c: ldp x29, x30, [sp], #0x10; ret;
0x00000000000007f0: ldp x29, x30, [sp], #0x20; ret;
0x0000000000000904: ldp x29, x30, [sp], #0x40; ret;
0x0000000000000864: ldp x29, x30, [sp], #0x60; ret;
0x000000000000072c: ldr x0, [x0, #0xfc8]; cbz x0, #0x738; b #0x6a0; ret;
0x000000000000075c: ldr x1, [x1, #0xfb8]; cbz x1, #0x76c; mov x16, x1; br x16;
0x000000000000075c: ldr x1, [x1, #0xfb8]; cbz x1, #0x76c; mov x16, x1; br x16; ret;
0x00000000000006a4: ldr x17, [x16, #0x10]; add x16, x16, #0x10; br x17;
0x00000000000006b4: ldr x17, [x16, #0x18]; add x16, x16, #0x18; br x17;
0x00000000000006c4: ldr x17, [x16, #0x20]; add x16, x16, #0x20; br x17;
0x00000000000006d4: ldr x17, [x16, #0x28]; add x16, x16, #0x28; br x17;
0x00000000000006e4: ldr x17, [x16, #0x30]; add x16, x16, #0x30; br x17;
0x0000000000000668: ldr x17, [x16, #0xff8]; add x16, x16, #0xff8; br x17;
0x0000000000000694: ldr x17, [x16, #8]; add x16, x16, #8; br x17;
0x0000000000000684: ldr x17, [x16]; add x16, x16, #0; br x17;
0x00000000000007ec: ldr x19, [sp, #0x10]; ldp x29, x30, [sp], #0x20; ret;
0x0000000000000798: ldr x2, [x2, #0xfe0]; cbz x2, #0x7a8; mov x16, x2; br x16;
0x0000000000000798: ldr x2, [x2, #0xfe0]; cbz x2, #0x7a8; mov x16, x2; br x16; ret;
0x00000000000008d8: ldr x3, [x21, x19, lsl #3]; mov x2, x24; add x19, x19, #1; mov x1, x23; mov w0, w22; blr x3;
0x00000000000008e8: mov w0, w22; blr x3;
0x00000000000008e4: mov x1, x23; mov w0, w22; blr x3;
0x0000000000000764: mov x16, x1; br x16;
0x0000000000000764: mov x16, x1; br x16; ret;
0x00000000000007a0: mov x16, x2; br x16;
0x00000000000007a0: mov x16, x2; br x16; ret;
0x00000000000008dc: mov x2, x24; add x19, x19, #1; mov x1, x23; mov w0, w22; blr x3;
0x0000000000000644: mov x29, sp; bl #0x728; ldp x29, x30, [sp], #0x10; ret;
0x0000000000000918: mov x29, sp; ldp x29, x30, [sp], #0x10; ret;
0x0000000000000880: movz w0, #0; ldp x29, x30, [sp], #0x20; ret;
0x00000000000007e4: movz w0, #0x1; strb w0, [x19, #0x48]; ldr x19, [sp, #0x10]; ldp x29, x30, [sp], #0x20; ret;
0x0000000000000660: stp x16, x30, [sp, #-0x10]!; adrp x16, #0x10000; ldr x17, [x16, #0xff8]; add x16, x16, #0xff8; br x17;
0x0000000000000640: stp x29, x30, [sp, #-0x10]!; mov x29, sp; bl #0x728; ldp x29, x30, [sp], #0x10; ret;
0x0000000000000914: stp x29, x30, [sp, #-0x10]!; mov x29, sp; ldp x29, x30, [sp], #0x10; ret;
0x0000000000000874: str w0, [sp, #0x1c]; str x1, [sp, #0x10]; bl #0x83c; movz w0, #0; ldp x29, x30, [sp], #0x20; ret;
0x0000000000000878: str x1, [sp, #0x10]; bl #0x83c; movz w0, #0; ldp x29, x30, [sp], #0x20; ret;
0x00000000000007e8: strb w0, [x19, #0x48]; ldr x19, [sp, #0x10]; ldp x29, x30, [sp], #0x20; ret;
0x000000000000067c: nop; adrp x16, #0x11000; ldr x17, [x16]; add x16, x16, #0; br x17;
0x0000000000000830: nop; ldp x29, x30, [sp], #0x20; ret;
0x0000000000000860: nop; ldp x29, x30, [sp], #0x60; ret;
0x0000000000000678: nop; nop; adrp x16, #0x11000; ldr x17, [x16]; add x16, x16, #0; br x17;
0x000000000000090c: nop; ret;
0x0000000000000650: ret;
我尤其对 0x00000000000008f8 和 0x00000000000008d8 小工具感兴趣。
Elf 文件类型为 DYN(共享对象文件) 入口点 0x6f0 有 9 个程序头,从偏移量 64
开始查找ELF文件基地址的命令readelf -l的输出为:
Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
PHDR 0x0000000000000040 0x0000000000000040 0x0000000000000040
0x00000000000001f8 0x00000000000001f8 R 0x8
INTERP 0x0000000000000238 0x0000000000000238 0x0000000000000238
0x000000000000001b 0x000000000000001b R 0x1
[Requesting program interpreter: /lib/ld-linux-aarch64.so.1]
LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000adc 0x0000000000000adc R E 0x10000
LOAD 0x0000000000000db8 0x0000000000010db8 0x0000000000010db8
0x0000000000000290 0x0000000000000298 RW 0x10000
DYNAMIC 0x0000000000000dc8 0x0000000000010dc8 0x0000000000010dc8
0x00000000000001e0 0x00000000000001e0 RW 0x8
NOTE 0x0000000000000254 0x0000000000000254 0x0000000000000254
0x0000000000000044 0x0000000000000044 R 0x4
GNU_EH_FRAME 0x0000000000000960 0x0000000000000960 0x0000000000000960
0x0000000000000054 0x0000000000000054 R 0x4
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 RW 0x10
GNU_RELRO 0x0000000000000db8 0x0000000000010db8 0x0000000000010db8
0x0000000000000248 0x0000000000000248 R 0x1
Section to Segment mapping:
Segment Sections...
00
01 .interp
02 .interp .note.gnu.build-id .note.ABI-tag .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame
03 .init_array .fini_array .dynamic .got .got.plt .data .bss
04 .dynamic
05 .note.gnu.build-id .note.ABI-tag
06 .eh_frame_hdr
07
08 .init_array .fini_array .dynamic .got
gdb 中 info proc mappings 的输出是:
Start Addr End Addr Size Offset objfile
0x5555555000 0x5555556000 0x1000 0x0 path_to _binary/binary_name
0x5555565000 0x5555566000 0x1000 0x0 path_to _binary/binary_name
0x5555566000 0x5555567000 0x1000 0x1000 path_to _binary/binary_name
0x7ff7e44000 0x7ff7fa1000 0x15d000 0x0 /usr/lib/aarch64-linux-gnu/libc-2.31.so
0x7ff7fa1000 0x7ff7fb1000 0x10000 0x15d000 /usr/lib/aarch64-linux-gnu/libc-2.31.so
0x7ff7fb1000 0x7ff7fb4000 0x3000 0x15d000 /usr/lib/aarch64-linux-gnu/libc-2.31.so
0x7ff7fb4000 0x7ff7fb7000 0x3000 0x160000 /usr/lib/aarch64-linux-gnu/libc-2.31.so
0x7ff7fb7000 0x7ff7fba000 0x3000 0x0
0x7ff7fcc000 0x7ff7fed000 0x21000 0x0 /usr/lib/aarch64-linux-gnu/ld-2.31.so
0x7ff7ff9000 0x7ff7ffb000 0x2000 0x0
0x7ff7ffb000 0x7ff7ffc000 0x1000 0x0 [vvar]
0x7ff7ffc000 0x7ff7ffd000 0x1000 0x0 [vdso]
0x7ff7ffd000 0x7ff7ffe000 0x1000 0x21000 /usr/lib/aarch64-linux-gnu/ld-2.31.so
0x7ff7ffe000 0x7ff8000000 0x2000 0x22000 /usr/lib/aarch64-linux-gnu/ld-2.31.so
0x7ffffdf000 0x8000000000 0x21000 0x0 [stack]
我如何找出小工具实际加载到内存中的位置?是这个问题吗?哪个 ropper 在报告?
您的小工具位于 0x55555558f8。
Ropper 以 ELF header 描述二进制文件内存布局的方式显示小工具的地址。根据 header:
- 文件内容 0x0-0xadc 将映射为地址 0x0 处的
r-x。 - 文件内容 0xdb8-0x1048 将映射为
rw-地址 0x10db8.
考虑到页面边界,您将获得一页映射文件偏移量 0x0 到地址 0x0 的可执行文件和两页映射文件偏移量 0x0 到地址 0x10000 的可写文件。
从您的 GDB 转储中,这些映射分别在实时进程中的 0x5555555000 和 0x5555565000 处创建。