我正在尝试一些cpp二进制反汇编。我写了一个非常简单的代码:
#include <iostream>
int main() {
int i=0; int i2=0;
for(int i=0; i<1000000; i++) {i2++; std::cout << "n" << i2;}
return 0;
}
然后我用g++编译了它,使用了类似的东西:
g++ .cpp -o .cpp.bin
然后我运行了一个:
objdump -d .cpp.bin
以下是我提取的内容:
;1lim.cpp.bin: file format elf64-x86-64
;Disassembly of section .init:
_init:
endbr64
sub $0x8,%rsp
mov 0x2fd9(%rip),%rax
test %rax,%rax
je 1016 <_init+0x16>
call *%rax
add $0x8,%rsp
ret
;Disassembly of section .plt:
.plt:
push 0x2f7a(%rip)
bnd jmp *0x2f7b(%rip)
nopl (%rax)
endbr64
push $0x0
bnd jmp 1020 <_init+0x20>
nop
endbr64
push $0x1
bnd jmp 1020 <_init+0x20>
nop
endbr64
push $0x2
bnd jmp 1020 <_init+0x20>
nop
endbr64
push $0x3
bnd jmp 1020 <_init+0x20>
nop
;Disassembly of section .plt.got:
__cxa_finalize@plt:
endbr64
bnd jmp *0x2f55(%rip)
nopl 0x0(%rax,%rax,1)
;Disassembly of section .plt.sec:
__cxa_atexit@plt:
endbr64
bnd jmp *0x2f25(%rip)
nopl 0x0(%rax,%rax,1)
_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc@plt:
endbr64
bnd jmp *0x2f1d(%rip)
nopl 0x0(%rax,%rax,1)
_ZNSt8ios_base4InitC1Ev@plt:
endbr64
bnd jmp *0x2f15(%rip)
nopl 0x0(%rax,%rax,1)
_ZNSolsEi@plt:
endbr64
bnd jmp *0x2f0d(%rip)
nopl 0x0(%rax,%rax,1)
;Disassembly of section .text:
_start:
endbr64
xor %ebp,%ebp
mov %rdx,%r9
pop %rsi
mov %rsp,%rdx
and $0xfffffffffffffff0,%rsp
push %rax
push %rsp
xor %r8d,%r8d
xor %ecx,%ecx
lea 0xca(%rip),%rdi
call *0x2ef3(%rip)
hlt
cs nopw 0x0(%rax,%rax,1)
deregister_tm_clones:
lea 0x2f19(%rip),%rdi
lea 0x2f12(%rip),%rax
cmp %rdi,%rax
je 1118 <deregister_tm_clones+0x28>
mov 0x2ed6(%rip),%rax
test %rax,%rax
je 1118 <deregister_tm_clones+0x28>
jmp *%rax
nopl 0x0(%rax)
ret
nopl 0x0(%rax)
register_tm_clones:
lea 0x2ee9(%rip),%rdi
lea 0x2ee2(%rip),%rsi
sub %rdi,%rsi
mov %rsi,%rax
shr $0x3f,%rsi
sar $0x3,%rax
add %rax,%rsi
sar %rsi
je 1158 <register_tm_clones+0x38>
mov 0x2ea5(%rip),%rax
test %rax,%rax
je 1158 <register_tm_clones+0x38>
jmp *%rax
nopw 0x0(%rax,%rax,1)
ret
nopl 0x0(%rax)
__do_global_dtors_aux:
endbr64
cmpb $0x0,0x2fe5(%rip)
jne 1198 <__do_global_dtors_aux+0x38>
push %rbp
cmpq $0x0,0x2e5a(%rip)
mov %rsp,%rbp
je 1187 <__do_global_dtors_aux+0x27>
mov 0x2e86(%rip),%rdi
call 1070 <__cxa_finalize@plt>
call 10f0 <deregister_tm_clones>
movb $0x1,0x2fbd(%rip)
pop %rbp
ret
nopl (%rax)
ret
nopl 0x0(%rax)
frame_dummy:
endbr64
jmp 1120 <register_tm_clones>
main:
endbr64
push %rbp
mov %rsp,%rbp
sub $0x10,%rsp
movl $0x0,-0x4(%rbp)
movl $0x0,-0xc(%rbp)
movl $0x0,-0x8(%rbp)
jmp 11fd <main+0x54>
addl $0x1,-0xc(%rbp)
lea 0xe2d(%rip),%rax
mov %rax,%rsi
lea 0x2e5f(%rip),%rax
mov %rax,%rdi
call 1090 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc@plt>
mov %rax,%rdx
mov -0xc(%rbp),%eax
mov %eax,%esi
mov %rdx,%rdi
call 10b0 <_ZNSolsEi@plt>
addl $0x1,-0x8(%rbp)
cmpl $0xf423f,-0x8(%rbp)
jle 11cc <main+0x23>
mov $0x0,%eax
leave
ret
_Z41__static_initialization_and_destruction_0ii:
endbr64
push %rbp
mov %rsp,%rbp
sub $0x10,%rsp
mov %edi,-0x4(%rbp)
mov %esi,-0x8(%rbp)
cmpl $0x1,-0x4(%rbp)
jne 1260 <_Z41__static_initialization_and_destruction_0ii+0x53>
cmpl $0xffff,-0x8(%rbp)
jne 1260 <_Z41__static_initialization_and_destruction_0ii+0x53>
lea 0x2f1c(%rip),%rax
mov %rax,%rdi
call 10a0 <_ZNSt8ios_base4InitC1Ev@plt>
lea 0x2dc4(%rip),%rax
mov %rax,%rdx
lea 0x2f03(%rip),%rax
mov %rax,%rsi
mov 0x2da0(%rip),%rax
mov %rax,%rdi
call 1080 <__cxa_atexit@plt>
nop
leave
ret
_GLOBAL__sub_I_main:
endbr64
push %rbp
mov %rsp,%rbp
mov $0xffff,%esi
mov $0x1,%edi
call 120d <_Z41__static_initialization_and_destruction_0ii>
pop %rbp
ret
;Disassembly of section .fini:
_fini:
endbr64
sub $0x8,%rsp
add $0x8,%rsp
ret
我现在正试图用以下方法来解释它:
nasm -f elf64 .asm
我如何可能修复汇编代码,以便尝试使用NASM进行编译(它已经是我从objdump获得的经过巧妙修改的版本(
我发现这个问题的答案如下:不运行预先给定的引用命令,而是使用以下命令:
gcc -S .cpp
这将产生以下代码:
.file "1lim.cpp"
.text
.local _ZStL8__ioinit
.comm _ZStL8__ioinit,1,1
.section .rodata
.LC0:
.string "n"
.text
.globl main
.type main, @function
main:
.LFB1731:
.cfi_startproc
endbr64
pushq %rbp
.cfi_def_cfa_offset 16
.cfi_offset 6, -16
movq %rsp, %rbp
.cfi_def_cfa_register 6
subq $16, %rsp
movl $0, -4(%rbp)
movl $0, -12(%rbp)
movl $0, -8(%rbp)
jmp .L2
.L3:
addl $1, -12(%rbp)
leaq .LC0(%rip), %rax
movq %rax, %rsi
leaq _ZSt4cout(%rip), %rax
movq %rax, %rdi
call _ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc@PLT
movq %rax, %rdx
movl -12(%rbp), %eax
movl %eax, %esi
movq %rdx, %rdi
call _ZNSolsEi@PLT
addl $1, -8(%rbp)
.L2:
cmpl $999999, -8(%rbp)
jle .L3
movl $0, %eax
leave
.cfi_def_cfa 7, 8
ret
.cfi_endproc
.LFE1731:
.size main, .-main
.type _Z41__static_initialization_and_destruction_0ii, @function
_Z41__static_initialization_and_destruction_0ii:
.LFB2229:
.cfi_startproc
endbr64
pushq %rbp
.cfi_def_cfa_offset 16
.cfi_offset 6, -16
movq %rsp, %rbp
.cfi_def_cfa_register 6
subq $16, %rsp
movl %edi, -4(%rbp)
movl %esi, -8(%rbp)
cmpl $1, -4(%rbp)
jne .L7
cmpl $65535, -8(%rbp)
jne .L7
leaq _ZStL8__ioinit(%rip), %rax
movq %rax, %rdi
call _ZNSt8ios_base4InitC1Ev@PLT
leaq __dso_handle(%rip), %rax
movq %rax, %rdx
leaq _ZStL8__ioinit(%rip), %rax
movq %rax, %rsi
movq _ZNSt8ios_base4InitD1Ev@GOTPCREL(%rip), %rax
movq %rax, %rdi
call __cxa_atexit@PLT
.L7:
nop
leave
.cfi_def_cfa 7, 8
ret
.cfi_endproc
.LFE2229:
.size _Z41__static_initialization_and_destruction_0ii, .-_Z41__static_initialization_and_destruction_0ii
.type _GLOBAL__sub_I_main, @function
_GLOBAL__sub_I_main:
.LFB2230:
.cfi_startproc
endbr64
pushq %rbp
.cfi_def_cfa_offset 16
.cfi_offset 6, -16
movq %rsp, %rbp
.cfi_def_cfa_register 6
movl $65535, %esi
movl $1, %edi
call _Z41__static_initialization_and_destruction_0ii
popq %rbp
.cfi_def_cfa 7, 8
ret
.cfi_endproc
.LFE2230:
.size _GLOBAL__sub_I_main, .-_GLOBAL__sub_I_main
.section .init_array,"aw"
.align 8
.quad _GLOBAL__sub_I_main
.hidden __dso_handle
.ident "GCC: (Ubuntu 11.2.0-19ubuntu1) 11.2.0"
.section .note.GNU-stack,"",@progbits
.section .note.gnu.property,"a"
.align 8
.long 1f - 0f
.long 4f - 1f
.long 5
0:
.string "GNU"
1:
.align 8
.long 0xc0000002
.long 3f - 2f
2:
.long 0x3
3:
.align 8
4:
要编译它,只需执行以下操作:
g++ .s -o .s.bin
然后运行它只是的问题
./.s.bin
现在我的问题是:如何对可执行文件或二进制文件执行同样的操作
显然,答案在于使用一个名为objconv的二进制文件,它代表以正确的方式将c++二进制文件转换为汇编代码。显然,它可以安装在任何使用anaconda包和环境管理器的操作系统上
欢呼