{"id":1370,"date":"2021-07-17T22:52:03","date_gmt":"2021-07-17T22:52:03","guid":{"rendered":"http:\/\/144.76.171.171\/blog\/?p=1370"},"modified":"2021-07-17T22:52:38","modified_gmt":"2021-07-17T22:52:38","slug":"gdb-ve-normal-olmayan-program-akisi","status":"publish","type":"post","link":"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/07\/17\/gdb-ve-normal-olmayan-program-akisi\/","title":{"rendered":"GDB ve Normal Olmayan Program Ak\u0131\u015f\u0131"},"content":{"rendered":"

Giri\u015f<\/h1>\n

\u00c7ok \u00f6ncesinde sunumlar haz\u0131rlay\u0131p \u00f6\u011frencilere kullan\u0131m\u0131ndan bahsetmi\u015ftim ger\u00e7i o zamanalar bende \u00f6\u011frenciydim ancak kullanmad\u0131k\u00e7a unuttu\u011fumu farkettim ve tekrardan bir g\u00f6z att\u0131m. G\u00f6z atarkende buraya yazayim dedim ve yeni bir seri b\u00f6ylece do\u011fmu\u015f oldu. Yine tekrar tekrar s\u00f6yl\u00fcyorum ki bir m\u00fcfredata ba\u011fl\u0131 kalarak yazm\u0131yorum daha \u00e7ok kendi ho\u015fuma giden k\u0131s\u0131mlar\u0131 kaleme al\u0131yorum bo\u015funa "bireysel \u00e7\u00f6pl\u00fc\u011f\u00fcm" demiyorum buraya.<\/p>\n

Ba\u015flang\u0131\u00e7<\/h1>\n

O zaman yava\u015f yava\u015f ba\u015flayal\u0131m. \u0130lk dura\u011f\u0131m\u0131z symbol file<\/strong> olacakt\u0131r. Bunun ne oldu\u011fu hakk\u0131nda konu\u015faca\u011f\u0131z ama \u00f6ncesinde basit bir hello world yazal\u0131m. Ve gdb<\/strong>'den bahsedelim.<\/p>\n

\u250c\u2500\u2500(root💀kali)-[~\/oscp\/gdb]\n\u2514\u2500# cat hello.c \n#include <stdio.h>\nint main() {\n   \/\/ printf() displays the string inside quotation\n   printf("Hello, World!");\n   return 0;\n}<\/code><\/pre>\n
\u015eimdi program\u0131 derleyelim ve \u00e7al\u0131\u015ft\u0131ral\u0131m.<\/p>\n
 hello.c -o hello\n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/gdb]\n\u2514\u2500# .\/hello\nHello, World!          <\/code><\/pre>\n
Harika, \u015fimdi gelelim as\u0131l sorular\u0131m\u0131za gdb nedir. Hello World gibi basit programlardan karma\u015f\u0131k programlara kadar bir\u00e7ok program\u0131 analiz edebilece\u011finiz, \u00e7al\u0131\u015fma zaman\u0131nda debuglayabilece\u011finiz bir program ar\u0131yorsan\u0131z gdb ile tan\u0131\u015f\u0131n. K\u0131saca gdb'yi debuger arac\u0131m\u0131z olarak \u00f6zetleyebiliriz.
\nPeki symbol files nedir? Bu bir tersine m\u00fchendislik serisi olmayacak ama buradaki bilgileri tersine m\u00fchendislikte kullan\u0131r\u0131z. Amac\u0131m\u0131z tersine m\u00fchendislik yaparken asl\u0131nda bir\u00e7ok gizem \u00e7\u00f6zmektir. Makine yada byte kodlardan bir \u015feyler elde etmeye \u00e7al\u0131\u015f\u0131r\u0131z, elimizde symbol dosyalar\u0131 olsayd\u0131 i\u015f biraz de\u011fi\u015febilirdi. Symbol dosyalar\u0131 ile debuglamak oduk\u00e7a kolayd\u0131r \u00e7\u00fcnk\u00fc bu dosyalar de\u011fi\u015fkenler, fonksyionlar gibi bir \u00e7ok anlaml\u0131 bilgiyi bar\u0131nd\u0131r\u0131r. \u00d6rnek olarak hello<\/strong> uygulamas\u0131n\u0131 debuglamay\u0131 deneyelim. gdb bize bir uyar\u0131 verecektir.<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/oscp\/gdb]\n\u2514\u2500# gdb .\/hello         \nGNU gdb (Debian 10.1-1.7) 10.1.90.20210103-git\nCopyright (C) 2021 Free Software Foundation, Inc.\nLicense GPLv3+: GNU GPL version 3 or later <http:\/\/gnu.org\/licenses\/gpl.html>\nThis is free software: you are free to change and redistribute it.\nThere is NO WARRANTY, to the extent permitted by law.\nType "show copying" and "show warranty" for details.\nThis GDB was configured as "x86_64-linux-gnu".\nType "show configuration" for configuration details.\nFor bug reporting instructions, please see:\n<https:\/\/www.gnu.org\/software\/gdb\/bugs\/>.\nFind the GDB manual and other documentation resources online at:\n    <http:\/\/www.gnu.org\/software\/gdb\/documentation\/>.\n\nFor help, type "help".\nType "apropos word" to search for commands related to "word"...\nReading symbols from .\/hello...\n(No debugging symbols found in .\/hello)\n(gdb) <\/code><\/pre>\n
(No debugging symbols found in .\/hello)<\/strong> eskiden derleyiciler \u015fuanda oldu\u011fu gibi de\u011fildi, yaz\u0131l\u0131mc\u0131lar debuglamak i\u00e7in ekstra ara\u00e7lar kullan\u0131rlard\u0131 \u00f6rnek gdb gibi. Daha anlaml\u0131 debug'lamak i\u00e7n symbol dosyalar\u0131na ihtiya\u00e7 duyar\u0131z. Peki bu dosyalar\u0131 nas\u0131l elde edece\u011fiz. Asl\u0131nda derleme a\u015famas\u0131nda bir parametre ile bunu elde edebiliriz.<\/p>\n
\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/gdb]\n\u2514\u2500# gcc hello.c -o hello2 -ggdb     \n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/gdb]\n\u2514\u2500# gdb .\/hello2               \nGNU gdb (Debian 10.1-1.7) 10.1.90.20210103-git\nCopyright (C) 2021 Free Software Foundation, Inc.\nLicense GPLv3+: GNU GPL version 3 or later <http:\/\/gnu.org\/licenses\/gpl.html>\nThis is free software: you are free to change and redistribute it.\nThere is NO WARRANTY, to the extent permitted by law.\nType "show copying" and "show warranty" for details.\nThis GDB was configured as "x86_64-linux-gnu".\nType "show configuration" for configuration details.\nFor bug reporting instructions, please see:\n<https:\/\/www.gnu.org\/software\/gdb\/bugs\/>.\nFind the GDB manual and other documentation resources online at:\n    <http:\/\/www.gnu.org\/software\/gdb\/documentation\/>.\n\nFor help, type "help".\nType "apropos word" to search for commands related to "word"...\nReading symbols from .\/hello2...\n(gdb) \n<\/code><\/pre>\n
Harika! Reading symbols from .\/hello2...<\/strong> Tamam symbol dosyalar\u0131n\u0131 anald\u0131k. Debuglamada yard\u0131mc\u0131ym\u0131\u015f. \u015eimdi teorik bilgiyi bir kenara b\u0131rak\u0131p ger\u00e7ekten uygulama \u00fczerinde g\u00f6relim. Symbol files'\u0131n olmas\u0131 ya da olmamas\u0131 nelere sebep oluyormu\u015f?<\/p>\n
\u015eimdi yeni bir dosya olu\u015ftural\u0131m ve normal \u015fartlarda \u00e7al\u0131\u015ft\u0131ramad\u0131\u011f\u0131m\u0131z bir fonksiyon tan\u0131mlayal\u0131m. Biraz bu dosyayla oynayaca\u011f\u0131z.<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/oscp\/gdb]\n\u2514\u2500# cat test.c        \n#include <stdio.h>\nint main() {\n   \/\/ printf() displays the string inside quotation\n   printf("Hello, World!");\n   return 0;\n}\nvoid test(){\n  printf("Hack!");\n}\n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/gdb]\n\u2514\u2500# gcc test.c -o test\n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/gdb]\n\u2514\u2500# gcc test.c -o test2 -ggdb                                                                                    1 \u2a2f\n<\/code><\/pre>\n
Elimizde iki tane binary var. Bunlar\u0131 s\u0131ras\u0131 ile gdb arac\u0131l\u0131\u011f\u0131yla a\u00e7al\u0131m ve fonksiyonlar hakk\u0131nda bilgi almay\u0131 deneyelim.<\/p>\n
Symbol dosyalar\u0131 yokken a\u015fa\u011f\u0131daki gibi bir \u00e7\u0131kt\u0131 al\u0131r\u0131z.<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/oscp\/gdb]\n\u2514\u2500# gdb .\/test               \nGNU gdb (Debian 10.1-1.7) 10.1.90.20210103-git\nCopyright (C) 2021 Free Software Foundation, Inc.\nLicense GPLv3+: GNU GPL version 3 or later <http:\/\/gnu.org\/licenses\/gpl.html>\nThis is free software: you are free to change and redistribute it.\nThere is NO WARRANTY, to the extent permitted by law.\nType "show copying" and "show warranty" for details.\nThis GDB was configured as "x86_64-linux-gnu".\nType "show configuration" for configuration details.\nFor bug reporting instructions, please see:\n<https:\/\/www.gnu.org\/software\/gdb\/bugs\/>.\nFind the GDB manual and other documentation resources online at:\n    <http:\/\/www.gnu.org\/software\/gdb\/documentation\/>.\n\nFor help, type "help".\nType "apropos word" to search for commands related to "word"...\nReading symbols from .\/test...\n(No debugging symbols found in .\/test)\n(gdb) info functions\nAll defined functions:\n\nNon-debugging symbols:\n0x0000000000001000  _init\n0x0000000000001030  printf@plt\n0x0000000000001040  __cxa_finalize@plt\n0x0000000000001050  _start\n0x0000000000001080  deregister_tm_clones\n0x00000000000010b0  register_tm_clones\n0x00000000000010f0  __do_global_dtors_aux\n0x0000000000001130  frame_dummy\n0x0000000000001135  main\n0x0000000000001151  test\n0x0000000000001170  __libc_csu_init\n0x00000000000011d0  __libc_csu_fini\n0x00000000000011d4  _fini\n(gdb) \n<\/code><\/pre>\n
Symbol dosyalar\u0131 varken ise a\u015fa\u011f\u0131daki gibi bir \u00e7\u0131kt\u0131 al\u0131r\u0131z.<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/oscp\/gdb]\u250c\u2500\u2500(root💀kali)-[~\/oscp\/gdb]\n\u2514\u2500# gdb .\/test2\nGNU gdb (Debian 10.1-1.7) 10.1.90.20210103-git\nCopyright (C) 2021 Free Software Foundation, Inc.\nLicense GPLv3+: GNU GPL version 3 or later <http:\/\/gnu.org\/licenses\/gpl.html>\nThis is free software: you are free to change and redistribute it.\nThere is NO WARRANTY, to the extent permitted by law.\nType "show copying" and "show warranty" for details.\nThis GDB was configured as "x86_64-linux-gnu".\nType "show configuration" for configuration details.\nFor bug reporting instructions, please see:\n<https:\/\/www.gnu.org\/software\/gdb\/bugs\/>.\nFind the GDB manual and other documentation resources online at:\n    <http:\/\/www.gnu.org\/software\/gdb\/documentation\/>.\n\nFor help, type "help".\nType "apropos word" to search for commands related to "word"...\nReading symbols from .\/test2...\n(gdb) info functions\nAll defined functions:\n\nFile test.c:\n2:  int main();\n7:  void test();\n\nNon-debugging symbols:\n0x0000000000001000  _init\n0x0000000000001030  printf@plt\n0x0000000000001040  __cxa_finalize@plt\n0x0000000000001050  _start\n0x0000000000001080  deregister_tm_clones\n0x00000000000010b0  register_tm_clones\n0x00000000000010f0  __do_global_dtors_aux\n0x0000000000001130  frame_dummy\n0x0000000000001170  __libc_csu_init\n0x00000000000011d0  __libc_csu_fini\n0x00000000000011d4  _fini\n(gdb) \n<\/code><\/pre>\n
Kaynak kodu g\u00f6rmek istedi\u011fimizde list<\/strong> anahtar kelimesini kullanabiliriz. Symbol dosyalar\u0131 olmad\u0131\u011f\u0131nda a\u015fa\u011f\u0131daki gibi bir \u00e7\u0131kt\u0131 al\u0131r\u0131z.<\/p>\n
(gdb) list 1\nNo symbol table is loaded.  Use the "file" command.\n(gdb) <\/code><\/pre>\n
Symbol dosyalar\u0131 oldu\u011funda a\u015fa\u011f\u0131daki gibi bir \u00e7\u0131kt\u0131 al\u0131r\u0131z.<\/p>\n
(gdb) list 1\n1   #include <stdio.h>\n2   int main() {\n3      \/\/ printf() displays the string inside quotation\n4      printf("Hello, World!");\n5      return 0;\n6   }\n7   void test(){\n8     printf("Hack!");\n9   }\n(gdb) \n<\/code><\/pre>\n
\u015eimdi \u00e7al\u0131\u015f\u0131r durumdayken analiz yapmaya ba\u015flayal\u0131m. Bunun i\u00e7in program\u0131 ilk ba\u015fta \u00e7al\u0131\u015ft\u0131rmam\u0131z gerekecektir ve analizlere symbol dosyas\u0131 olmayan binary \u00fczernden devam edece\u011fim.<\/p>\n
\u0130sterseni yeni bir kod yazal\u0131m ve a\u015fa\u011f\u0131daki projeyi derleyip analiz edelim.<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/oscp\/gdb]\n\u2514\u2500# cat ornek.c\n#include <stdio.h>\n\nvoid aslaCalismam(){\n  printf("Tebrikler!, beni \u00e7al\u0131\u015ft\u0131rabildin.");\n}\n\nvoid calis(){\n  printf("Zaten \u00e7al\u0131\u015fmam gerekiyordu");\n}\nint main() {\n   printf("Deneme Ama\u00e7l\u0131d\u0131r\\n");\n   calis();\n   return 0;\n}\n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/gdb]\n\u2514\u2500# gcc ornek.c -o ornek\n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/gdb]\n\u2514\u2500# .\/ornek             \nDeneme Ama\u00e7l\u0131d\u0131r\nZaten \u00e7al\u0131\u015fmam gerekiyordu  <\/code><\/pre>\n
\u015eimdi program\u0131 \u00e7al\u0131\u015ft\u0131ral\u0131m.<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/oscp\/gdb]\n\u2514\u2500# gdb ornek \nGNU gdb (Debian 10.1-1.7) 10.1.90.20210103-git\nCopyright (C) 2021 Free Software Foundation, Inc.\nLicense GPLv3+: GNU GPL version 3 or later <http:\/\/gnu.org\/licenses\/gpl.html>\nThis is free software: you are free to change and redistribute it.\nThere is NO WARRANTY, to the extent permitted by law.\nType "show copying" and "show warranty" for details.\nThis GDB was configured as "x86_64-linux-gnu".\nType "show configuration" for configuration details.\nFor bug reporting instructions, please see:\n<https:\/\/www.gnu.org\/software\/gdb\/bugs\/>.\nFind the GDB manual and other documentation resources online at:\n    <http:\/\/www.gnu.org\/software\/gdb\/documentation\/>.\n\nFor help, type "help".\nType "apropos word" to search for commands related to "word"...\nReading symbols from ornek...\n(No debugging symbols found in ornek)\n(gdb) info functions\nAll defined functions:\n\nNon-debugging symbols:\n0x0000000000001000  _init\n0x0000000000001030  puts@plt\n0x0000000000001040  printf@plt\n0x0000000000001050  __cxa_finalize@plt\n0x0000000000001060  _start\n0x0000000000001090  deregister_tm_clones\n0x00000000000010c0  register_tm_clones\n0x0000000000001100  __do_global_dtors_aux\n0x0000000000001140  frame_dummy\n0x0000000000001145  aslaCalismam\n0x000000000000115d  calis\n0x0000000000001175  main\n0x00000000000011a0  __libc_csu_init\n0x0000000000001200  __libc_csu_fini\n0x0000000000001204  _fini\n(gdb) run\nStarting program: \/root\/oscp\/gdb\/ornek \nDeneme Ama\u00e7l\u0131d\u0131r\nZaten \u00e7al\u0131\u015fmam gerekiyordu[Inferior 1 (process 5093) exited normally]\n<\/code><\/pre>\n
G\u00f6r\u00fcld\u00fc\u011f\u00fc \u00fczere program\u0131 normal bir \u015fekilde \u00e7al\u0131\u015ft\u0131eravildik ancak kodu dikkatli okuduysan\u0131z aslaCalismam() isimli bir fonksiyon bulunmaktad\u0131r. Bu fonksyionu \u00e7al\u0131\u015ft\u0131rmak istiyoruz. Bunu nas\u0131l yapabiliriz?<\/p>\n
Program \u00e7al\u0131\u015f\u0131rken main fonksyionuna break point koyarak ba\u015flayal\u0131m. Daha sonras\u0131nda o esnadaki register'lar\u0131 kontrol edelim.<\/p>\n
The program has no registers now.\n(gdb) break main\nBreakpoint 1 at 0x555555555179\n(gdb) run\nStarting program: \/root\/oscp\/gdb\/ornek \n\nBreakpoint 1, 0x0000555555555179 in main ()\n(gdb) info registers\nrax            0x555555555175      93824992235893\nrbx            0x0                 0\nrcx            0x7ffff7fae718      140737353803544\nrdx            0x7fffffffe448      140737488348232\nrsi            0x7fffffffe438      140737488348216\nrdi            0x1                 1\nrbp            0x7fffffffe340      0x7fffffffe340\nrsp            0x7fffffffe340      0x7fffffffe340\nr8             0x0                 0\nr9             0x7ffff7fe21b0      140737354015152\nr10            0x1                 1\nr11            0x0                 0\nr12            0x555555555060      93824992235616\nr13            0x0                 0\nr14            0x0                 0\nr15            0x0                 0\nrip            0x555555555179      0x555555555179 <main+4>\neflags         0x246               [ PF ZF IF ]\ncs             0x33                51\nss             0x2b                43\nds             0x0                 0\nes             0x0                 0\nfs             0x0                 0\ngs             0x0                 0\n<\/code><\/pre>\n
Asl\u0131nda hi\u00e7bir hata yok ancaj biz \u015fuanda x86 mimarisine g\u00f6re ilerliyoruz. Bu y\u00fczden benimle ayn\u0131 \u00e7\u0131kt\u0131y\u0131 al\u0131yorsan\u0131z program\u0131 x64'e g\u00f6re derlemi\u015fsiniz demektir. x86'ya g\u00f6re tekrar derleyip devam edelim. <\/p>\n
64bir bir makinede 32 bit derleme yapabilmek i\u00e7in gcc'nin multilib'ine ihtiyac\u0131m\u0131z olacakt\u0131r.<\/p>\n
\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/gdb]\n\u2514\u2500# gcc ornek.c -o ornek -m32\nIn file included from ornek.c:1:\n\/usr\/include\/stdio.h:27:10: fatal error: bits\/libc-header-start.h: No such file or directory\n   27 | #include <bits\/libc-header-start.h>\n      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~\ncompilation terminated.\n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/gdb]\n\u2514\u2500# apt-get install gcc-multilib -y                                                                                                                                                                                                      1 \u2a2f\nReading package lists... Done\nBuilding dependency tree... Done\nReading state information... Done\nThe following additional packages will be installed:\n  gcc-10-multilib lib32asan6 lib32atomic1 lib32gcc-10-dev lib32gomp1 lib32itm1 lib32quadmath0 lib32ubsan1 libc6-dev-i386 libc6-dev-x32 libc6-x32 libx32asan6 libx32atomic1 libx32gcc-10-dev libx32gcc-s1 libx32gomp1 libx32itm1\n  libx32quadmath0 libx32stdc++6 libx32ubsan1\nThe following NEW packages will be installed:\n  gcc-10-multilib gcc-multilib lib32asan6 lib32atomic1 lib32gcc-10-dev lib32gomp1 lib32itm1 lib32quadmath0 lib32ubsan1 libc6-dev-i386 libc6-dev-x32 libc6-x32 libx32asan6 libx32atomic1 libx32gcc-10-dev libx32gcc-s1 libx32gomp1\n  libx32itm1 libx32quadmath0 libx32stdc++6 libx32ubsan1\n0 upgraded, 21 newly installed, 0 to remove and 208 not upgraded.\nNeed to get 17.1 MB of archives.\nAfter this operation, 69.3 MB of additional disk space will be used.\n...<\/code><\/pre>\n
\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/gdb]\n\u2514\u2500# gcc ornek.c -o ornek -m32      \n<\/code><\/pre>\n
Evet harika. Ba\u015far\u0131l\u0131 bir \u015fekilde 32bit'e uyun derleme yapt\u0131k.<\/p>\n
\u015eimdi main fonksiyonuna break point atal\u0131m ve o esnada register'lar\u0131 kontrol edelim.<\/p>\n
ou are free to change and redistribute it.\nThere is NO WARRANTY, to the extent permitted by law.\nType "show copying" and "show warranty" for details.\nThis GDB was configured as "x86_64-linux-gnu".\nType "show configuration" for configuration details.\nFor bug reporting instructions, please see:\n<https:\/\/www.gnu.org\/software\/gdb\/bugs\/>.\nFind the GDB manual and other documentation resources online at:\n    <http:\/\/www.gnu.org\/software\/gdb\/documentation\/>.\n\nFor help, type "help".\nType "apropos word" to search for commands related to "word"...\nReading symbols from .\/ornek...\n(No debugging symbols found in .\/ornek)\n(gdb) info functions\nAll defined functions:\n\nNon-debugging symbols:\n0x00001000  _init\n0x00001030  printf@plt\n0x00001040  puts@plt\n0x00001050  __libc_start_main@plt\n0x00001060  __cxa_finalize@plt\n0x00001070  _start\n0x000010b0  __x86.get_pc_thunk.bx\n0x000010c0  deregister_tm_clones\n0x00001100  register_tm_clones\n0x00001150  __do_global_dtors_aux\n0x000011a0  frame_dummy\n0x000011a5  __x86.get_pc_thunk.dx\n0x000011a9  aslaCalismam\n0x000011d4  calis\n0x000011ff  main\n0x00001240  __x86.get_pc_thunk.ax\n0x00001250  __libc_csu_init\n0x000012b0  __libc_csu_fini\n0x000012b1  __x86.get_pc_thunk.bp\n0x000012b8  _fini\n(gdb) break main\nBreakpoint 1 at 0x120e\n(gdb) run\nStarting program: \/root\/oscp\/gdb\/ornek \n\nBreakpoint 1, 0x5655620e in main ()\n(gdb) info registers\neax            0xf7fb2ae8          -134534424\necx            0xffffd4c0          -11072\nedx            0xffffd4f4          -11020\nebx            0x0                 0\nesp            0xffffd4a0          0xffffd4a0\nebp            0xffffd4a8          0xffffd4a8\nesi            0xf7fb0000          -134545408\nedi            0xf7fb0000          -134545408\neip            0x5655620e          0x5655620e <main+15>\neflags         0x282               [ SF IF ]\ncs             0x23                35\nss             0x2b                43\nds             0x2b                43\nes             0x2b                43\nfs             0x0                 0\ngs             0x63                99\n<\/code><\/pre>\n
Register'lar\u0131 d\u00fczg\u00fcn bir \u015fekilde g\u00f6r\u00fcnt\u00fcleyebildik.  \u015eidmi main fonksiyonun i\u00e7ine girelim.<\/p>\n
(gdb) disassemble main\nDump of assembler code for function main:\n   0x565561ff <+0>:   lea    0x4(%esp),%ecx\n   0x56556203 <+4>:   and    $0xfffffff0,%esp\n   0x56556206 <+7>:   push   -0x4(%ecx)\n   0x56556209 <+10>:  push   %ebp\n   0x5655620a <+11>:  mov    %esp,%ebp\n   0x5655620c <+13>:  push   %ebx\n   0x5655620d <+14>:  push   %ecx\n=> 0x5655620e <+15>:   call   0x56556240 <__x86.get_pc_thunk.ax>\n   0x56556213 <+20>:  add    $0x2ded,%eax\n   0x56556218 <+25>:  sub    $0xc,%esp\n   0x5655621b <+28>:  lea    -0x1fb4(%eax),%edx\n   0x56556221 <+34>:  push   %edx\n   0x56556222 <+35>:  mov    %eax,%ebx\n   0x56556224 <+37>:  call   0x56556040 <puts@plt>\n   0x56556229 <+42>:  add    $0x10,%esp\n   0x5655622c <+45>:  call   0x565561d4 <calis>\n   0x56556231 <+50>:  mov    $0x0,%eax\n   0x56556236 <+55>:  lea    -0x8(%ebp),%esp\n   0x56556239 <+58>:  pop    %ecx\n   0x5655623a <+59>:  pop    %ebx\n   0x5655623b <+60>:  pop    %ebp\n   0x5655623c <+61>:  lea    -0x4(%ecx),%esp\n   0x5655623f <+64>:  ret    \nEnd of assembler dump.\n(gdb) \n<\/code><\/pre>\n
Break pointimizi 0x5655620e<\/strong> adresinde g\u00f6r\u00fcyoruz. Ancak intel syntax'\u0131na uygun bir \u015fekilde dump almad\u0131k. Bunu d\u00fczeltip tekrar okuma i\u015flemi yapal\u0131m.<\/p>\n
(gdb) set disassembly-flavor intel\n(gdb) disassemble main\nDump of assembler code for function main:\n   0x565561ff <+0>:   lea    ecx,[esp+0x4]\n   0x56556203 <+4>:   and    esp,0xfffffff0\n   0x56556206 <+7>:   push   DWORD PTR [ecx-0x4]\n   0x56556209 <+10>:  push   ebp\n   0x5655620a <+11>:  mov    ebp,esp\n   0x5655620c <+13>:  push   ebx\n   0x5655620d <+14>:  push   ecx\n=> 0x5655620e <+15>:   call   0x56556240 <__x86.get_pc_thunk.ax>\n   0x56556213 <+20>:  add    eax,0x2ded\n   0x56556218 <+25>:  sub    esp,0xc\n   0x5655621b <+28>:  lea    edx,[eax-0x1fb4]\n   0x56556221 <+34>:  push   edx\n   0x56556222 <+35>:  mov    ebx,eax\n   0x56556224 <+37>:  call   0x56556040 <puts@plt>\n   0x56556229 <+42>:  add    esp,0x10\n   0x5655622c <+45>:  call   0x565561d4 <calis>\n   0x56556231 <+50>:  mov    eax,0x0\n   0x56556236 <+55>:  lea    esp,[ebp-0x8]\n   0x56556239 <+58>:  pop    ecx\n   0x5655623a <+59>:  pop    ebx\n   0x5655623b <+60>:  pop    ebp\n   0x5655623c <+61>:  lea    esp,[ecx-0x4]\n   0x5655623f <+64>:  ret    \nEnd of assembler dump.<\/code><\/pre>\n
0x5655622c<\/strong> adresinde g\u00f6r\u00fcld\u00fc\u011f\u00fc \u00fczere calis<\/strong> simli fonksyion \u00e7a\u011fr\u0131lmaktad\u0131r. Bu esnada return adres olarak 0x56556231<\/strong> adresi stack alan\u0131na eklenecektir.<\/p>\n
\u015eimdi kodlar\u0131m\u0131z\u0131 ilerletelim ve g\u00f6relim. K\u0131sa bir bilgi a\u015fa\u011f\u0131da verilmi\u015ftir.<\/p>\n
step => adres adres ilerleme\nstepi => adres adres ilerleme ama fonksyionlar\u0131n i\u00e7ine girilmez direkt ge\u00e7ilir.\ncontinue => sonraki break poin'e kadar gidilir<\/code><\/pre>\n
\u0130lk olarak calis k\u0131sm\u0131nada bir break point koyal\u0131m. calis fonksiyonuna girdi\u011fimizde 0x56556231<\/strong> adresinin stack alan\u0131na geldi\u011fini g\u00f6rebilmekteyiz. <\/p>\n
\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/gdb]\n\u2514\u2500# gdb .\/ornek\nGNU gdb (Debian 10.1-1.7) 10.1.90.20210103-git\nCopyright (C) 2021 Free Software Foundation, Inc.\nLicense GPLv3+: GNU GPL version 3 or later <http:\/\/gnu.org\/licenses\/gpl.html>\nThis is free software: you are free to change and redistribute it.\nThere is NO WARRANTY, to the extent permitted by law.\nType "show copying" and "show warranty" for details.\nThis GDB was configured as "x86_64-linux-gnu".\nType "show configuration" for configuration details.\nFor bug reporting instructions, please see:\n<https:\/\/www.gnu.org\/software\/gdb\/bugs\/>.\nFind the GDB manual and other documentation resources online at:\n    <http:\/\/www.gnu.org\/software\/gdb\/documentation\/>.\n\nFor help, type "help".\nType "apropos word" to search for commands related to "word"...\nReading symbols from .\/ornek...\n(No debugging symbols found in .\/ornek)\n(gdb) break main\nBreakpoint 1 at 0x120e\n(gdb) disassemble main\nDump of assembler code for function main:\n   0x000011ff <+0>:   lea    0x4(%esp),%ecx\n   0x00001203 <+4>:   and    $0xfffffff0,%esp\n   0x00001206 <+7>:   push   -0x4(%ecx)\n   0x00001209 <+10>:  push   %ebp\n   0x0000120a <+11>:  mov    %esp,%ebp\n   0x0000120c <+13>:  push   %ebx\n   0x0000120d <+14>:  push   %ecx\n   0x0000120e <+15>:  call   0x1240 <__x86.get_pc_thunk.ax>\n   0x00001213 <+20>:  add    $0x2ded,%eax\n   0x00001218 <+25>:  sub    $0xc,%esp\n   0x0000121b <+28>:  lea    -0x1fb4(%eax),%edx\n   0x00001221 <+34>:  push   %edx\n   0x00001222 <+35>:  mov    %eax,%ebx\n   0x00001224 <+37>:  call   0x1040 <puts@plt>\n   0x00001229 <+42>:  add    $0x10,%esp\n   0x0000122c <+45>:  call   0x11d4 <calis>\n   0x00001231 <+50>:  mov    $0x0,%eax\n   0x00001236 <+55>:  lea    -0x8(%ebp),%esp\n   0x00001239 <+58>:  pop    %ecx\n   0x0000123a <+59>:  pop    %ebx\n   0x0000123b <+60>:  pop    %ebp\n   0x0000123c <+61>:  lea    -0x4(%ecx),%esp\n   0x0000123f <+64>:  ret    \nEnd of assembler dump.\n(gdb) break calis\nBreakpoint 2 at 0x11d8\n(gdb) run\nStarting program: \/root\/oscp\/gdb\/ornek \n\nBreakpoint 1, 0x5655620e in main ()\n(gdb) stepi\n0x56556240 in __x86.get_pc_thunk.ax ()\n(gdb) disassemble main\nDump of assembler code for function main:\n   0x565561ff <+0>:   lea    0x4(%esp),%ecx\n   0x56556203 <+4>:   and    $0xfffffff0,%esp\n   0x56556206 <+7>:   push   -0x4(%ecx)\n   0x56556209 <+10>:  push   %ebp\n   0x5655620a <+11>:  mov    %esp,%ebp\n   0x5655620c <+13>:  push   %ebx\n   0x5655620d <+14>:  push   %ecx\n   0x5655620e <+15>:  call   0x56556240 <__x86.get_pc_thunk.ax>\n   0x56556213 <+20>:  add    $0x2ded,%eax\n   0x56556218 <+25>:  sub    $0xc,%esp\n   0x5655621b <+28>:  lea    -0x1fb4(%eax),%edx\n   0x56556221 <+34>:  push   %edx\n   0x56556222 <+35>:  mov    %eax,%ebx\n   0x56556224 <+37>:  call   0x56556040 <puts@plt>\n   0x56556229 <+42>:  add    $0x10,%esp\n   0x5655622c <+45>:  call   0x565561d4 <calis>\n   0x56556231 <+50>:  mov    $0x0,%eax\n   0x56556236 <+55>:  lea    -0x8(%ebp),%esp\n   0x56556239 <+58>:  pop    %ecx\n   0x5655623a <+59>:  pop    %ebx\n   0x5655623b <+60>:  pop    %ebp\n   0x5655623c <+61>:  lea    -0x4(%ecx),%esp\n   0x5655623f <+64>:  ret    \nEnd of assembler dump.\n(gdb) continue\nContinuing.\nDeneme Ama\u00e7l\u0131d\u0131r\n\nBreakpoint 2, 0x565561d8 in calis ()\n(gdb) info frame\nStack level 0, frame at 0xffffd4a0:\n eip = 0x565561d8 in calis; saved eip = 0x56556231\n called by frame at 0xffffd4c0\n Arglist at 0xffffd498, args: \n Locals at 0xffffd498, Previous frame's sp is 0xffffd4a0\n Saved registers:\n  ebp at 0xffffd498, eip at 0xffffd49c\n(gdb) x\/30x 0xffffd498\n0xffffd498: 0xffffd4a8  0x56556231  0xffffd4c0  0x00000000\n0xffffd4a8: 0x00000000  0xf7de9e46  0xf7fb0000  0xf7fb0000\n0xffffd4b8: 0x00000000  0xf7de9e46  0x00000001  0xffffd564\n0xffffd4c8: 0xffffd56c  0xffffd4f4  0xffffd504  0xf7ffdb40\n0xffffd4d8: 0xf7fca410  0xf7fb0000  0x00000001  0x00000000\n0xffffd4e8: 0xffffd548  0x00000000  0xf7ffd000  0x00000000\n0xffffd4f8: 0xf7fb0000  0xf7fb0000  0x00000000  0x165acff0\n0xffffd508: 0x54c8b1e0  0x00000000\n(gdb) <\/code><\/pre>\n
Bu k\u0131s\u0131m asl\u0131nda main fonksiyonu i\u00e7erisinde \u00e7a\u011f\u0131r\u0131lan calis fonksiyonu tamamlan\u0131ca main fonksyionunda devam edece\u011fi k\u0131sm\u0131 belirtmektedir. \u015eimdi bu alan\u0131n \u00fcst\u00fcne yazal\u0131m.<\/p>\n
0xffffd498: 0xffffd4a8  0x56556231  0xffffd4c0  0x00000000<\/code><\/pre>\n
K\u0131sm\u0131na bakt\u0131\u011f\u0131m\u0131zda 0x56556231<\/strong> k\u0131sm\u0131n\u0131n 0xffffd49c<\/strong> alan\u0131nda sakland\u0131\u011f\u0131n\u0131 g\u00f6rebiliyoruz. <\/p>\n
K\u0131sca ba\u015ftan a\u015fa\u011f\u0131ya a\u015fa\u011f\u0131daki \u00e7\u0131kt\u0131ya bak\u0131n. Demek istedi\u011fimi anlayacaks\u0131n\u0131z RETR k\u0131sm\u0131nda asl\u0131nda stack'e ilk at\u0131lan adres en son olarak (lifo) d\u0131\u015far\u0131 \u00e7\u0131kart\u0131lmaktad\u0131r.<\/p>\n
\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/gdb]\n\u2514\u2500# gdb .\/ornek              \nGNU gdb (Debian 10.1-1.7) 10.1.90.20210103-git\nCopyright (C) 2021 Free Software Foundation, Inc.\nLicense GPLv3+: GNU GPL version 3 or later <http:\/\/gnu.org\/licenses\/gpl.html>\nThis is free software: you are free to change and redistribute it.\nThere is NO WARRANTY, to the extent permitted by law.\nType "show copying" and "show warranty" for details.\nThis GDB was configured as "x86_64-linux-gnu".\nType "show configuration" for configuration details.\nFor bug reporting instructions, please see:\n<https:\/\/www.gnu.org\/software\/gdb\/bugs\/>.\nFind the GDB manual and other documentation resources online at:\n    <http:\/\/www.gnu.org\/software\/gdb\/documentation\/>.\n\nFor help, type "help".\nType "apropos word" to search for commands related to "word"...\nReading symbols from .\/ornek...\n(No debugging symbols found in .\/ornek)\n(gdb) info functions\nAll defined functions:\n\nNon-debugging symbols:\n0x00001000  _init\n0x00001030  printf@plt\n0x00001040  puts@plt\n0x00001050  __libc_start_main@plt\n0x00001060  __cxa_finalize@plt\n0x00001070  _start\n0x000010b0  __x86.get_pc_thunk.bx\n0x000010c0  deregister_tm_clones\n0x00001100  register_tm_clones\n0x00001150  __do_global_dtors_aux\n0x000011a0  frame_dummy\n0x000011a5  __x86.get_pc_thunk.dx\n0x000011a9  aslaCalismam\n0x000011d4  calis\n0x000011ff  main\n0x00001240  __x86.get_pc_thunk.ax\n0x00001250  __libc_csu_init\n0x000012b0  __libc_csu_fini\n0x000012b1  __x86.get_pc_thunk.bp\n0x000012b8  _fini\n(gdb) break main\nBreakpoint 1 at 0x120e\n(gdb) run\nStarting program: \/root\/oscp\/gdb\/ornek \n\nBreakpoint 1, 0x5655620e in main ()\n(gdb) disassemble main\nDump of assembler code for function main:\n   0x565561ff <+0>:   lea    0x4(%esp),%ecx\n   0x56556203 <+4>:   and    $0xfffffff0,%esp\n   0x56556206 <+7>:   push   -0x4(%ecx)\n   0x56556209 <+10>:  push   %ebp\n   0x5655620a <+11>:  mov    %esp,%ebp\n   0x5655620c <+13>:  push   %ebx\n   0x5655620d <+14>:  push   %ecx\n=> 0x5655620e <+15>:   call   0x56556240 <__x86.get_pc_thunk.ax>\n   0x56556213 <+20>:  add    $0x2ded,%eax\n   0x56556218 <+25>:  sub    $0xc,%esp\n   0x5655621b <+28>:  lea    -0x1fb4(%eax),%edx\n   0x56556221 <+34>:  push   %edx\n   0x56556222 <+35>:  mov    %eax,%ebx\n   0x56556224 <+37>:  call   0x56556040 <puts@plt>\n   0x56556229 <+42>:  add    $0x10,%esp\n   0x5655622c <+45>:  call   0x565561d4 <calis>\n   0x56556231 <+50>:  mov    $0x0,%eax\n   0x56556236 <+55>:  lea    -0x8(%ebp),%esp\n   0x56556239 <+58>:  pop    %ecx\n   0x5655623a <+59>:  pop    %ebx\n   0x5655623b <+60>:  pop    %ebp\n   0x5655623c <+61>:  lea    -0x4(%ecx),%esp\n   0x5655623f <+64>:  ret    \nEnd of assembler dump.\n(gdb) break calis\nBreakpoint 2 at 0x565561d8\n(gdb) continue\nContinuing.\nDeneme Ama\u00e7l\u0131d\u0131r\n\nBreakpoint 2, 0x565561d8 in calis ()\n(gdb) disassemble calis\nDump of assembler code for function calis:\n   0x565561d4 <+0>:   push   %ebp\n   0x565561d5 <+1>:   mov    %esp,%ebp\n   0x565561d7 <+3>:   push   %ebx\n=> 0x565561d8 <+4>:    sub    $0x4,%esp\n   0x565561db <+7>:   call   0x56556240 <__x86.get_pc_thunk.ax>\n   0x565561e0 <+12>:  add    $0x2e20,%eax\n   0x565561e5 <+17>:  sub    $0xc,%esp\n   0x565561e8 <+20>:  lea    -0x1fd2(%eax),%edx\n   0x565561ee <+26>:  push   %edx\n   0x565561ef <+27>:  mov    %eax,%ebx\n   0x565561f1 <+29>:  call   0x56556030 <printf@plt>\n   0x565561f6 <+34>:  add    $0x10,%esp\n   0x565561f9 <+37>:  nop\n   0x565561fa <+38>:  mov    -0x4(%ebp),%ebx\n   0x565561fd <+41>:  leave  \n   0x565561fe <+42>:  ret    \nEnd of assembler dump.\n(gdb) break *0x565561fe\nBreakpoint 3 at 0x565561fe\n(gdb) continue\nContinuing.\n\nBreakpoint 3, 0x565561fe in calis ()\n(gdb) x\/x $esp\n0xffffd49c: 0x56556231\n(gdb) disassemble main\nDump of assembler code for function main:\n   0x565561ff <+0>:   lea    0x4(%esp),%ecx\n   0x56556203 <+4>:   and    $0xfffffff0,%esp\n   0x56556206 <+7>:   push   -0x4(%ecx)\n   0x56556209 <+10>:  push   %ebp\n   0x5655620a <+11>:  mov    %esp,%ebp\n   0x5655620c <+13>:  push   %ebx\n   0x5655620d <+14>:  push   %ecx\n   0x5655620e <+15>:  call   0x56556240 <__x86.get_pc_thunk.ax>\n   0x56556213 <+20>:  add    $0x2ded,%eax\n   0x56556218 <+25>:  sub    $0xc,%esp\n   0x5655621b <+28>:  lea    -0x1fb4(%eax),%edx\n   0x56556221 <+34>:  push   %edx\n   0x56556222 <+35>:  mov    %eax,%ebx\n   0x56556224 <+37>:  call   0x56556040 <puts@plt>\n   0x56556229 <+42>:  add    $0x10,%esp\n   0x5655622c <+45>:  call   0x565561d4 <calis>\n   0x56556231 <+50>:  mov    $0x0,%eax\n   0x56556236 <+55>:  lea    -0x8(%ebp),%esp\n   0x56556239 <+58>:  pop    %ecx\n   0x5655623a <+59>:  pop    %ebx\n   0x5655623b <+60>:  pop    %ebp\n   0x5655623c <+61>:  lea    -0x4(%ecx),%esp\n   0x5655623f <+64>:  ret    \nEnd of assembler dump.\n(gdb) <\/code><\/pre>\n
Bir sonraki yaz\u0131mda bu adreslerle oynayarak asl\u0131nda temel buffer overflowda yapt\u0131\u011f\u0131m\u0131z eip gibi register'lar\u0131n \u00fcst\u00fcne yazarak program\u0131n normal ak\u0131\u015f\u0131n\u0131 nas\u0131l de\u011fi\u015ftirebildi\u011fimizden bahsedece\u011fim. Bir tane ubuntu 14 edinin...<\/p>\n","protected":false},"excerpt":{"rendered":"
Giri\u015f \u00c7ok \u00f6ncesinde sunumlar haz\u0131rlay\u0131p \u00f6\u011frencilere kullan\u0131m\u0131ndan bahsetmi\u015ftim ger\u00e7i o zamanalar bende \u00f6\u011frenciydim ancak kullanmad\u0131k\u00e7a unuttu\u011fumu farkettim ve tekrardan bir g\u00f6z att\u0131m. G\u00f6z atarkende buraya…<\/p>\n
Devam\u0131n\u0131 okuGDB ve Normal Olmayan Program Ak\u0131\u015f\u0131<\/span><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[566,465],"tags":[61],"class_list":["post-1370","post","type-post","status-publish","format-standard","hentry","category-buffer-overflow","category-reverse-engineering","tag-gdb","entry"],"_links":{"self":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1370","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/comments?post=1370"}],"version-history":[{"count":3,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1370\/revisions"}],"predecessor-version":[{"id":1373,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1370\/revisions\/1373"}],"wp:attachment":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/media?parent=1370"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/categories?post=1370"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/tags?post=1370"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}