我正在尝试从Linux机器调试ARM代码。代码的开头如下:
.text:00008290 MOV R12, SP
.text:00008294 STMFD SP!, {R4,R11,R12,LR,PC}
.text:00008298 SUB R11, R12, #4
.text:0000829C SUB SP, SP, #0x24
.text:000082A0 STR R0, [R11,#var_28]
.text:000082A4 STR R1, [R11,#var_2C]
.text:000082A8 LDR R3, [R11,#var_28]
.text:000082AC CMP R3, #1 ; Check whether arg has been provided
.text:000082B0 BGT loc_82C0 ; Jump to 0x82C0 if arg provided
.text:000082B4 MOV R3, #0xFFFFFFFF
.text:000082B8 STR R3, [R11,#var_30]
.text:000082BC B loc_8448
正如您所看到的,如果提供了arg,代码将跳转到0x82C0,但我找不到使用参数运行代码的方法。
为了调试它,我在我的机器上使用了如下的服务器/客户端架构:
第一个终端窗口:
$ qemu-arm -g 1234 ./chall9.bin
第二个终端窗口:
$ gdb-multiarch
(gdb) file chall9.bin
Reading symbols from /data/malware/chall9.bin...done.
(gdb) set architecture arm
The target architecture is assumed to be arm
(gdb) target remote 127.0.0.1:1234
Remote debugging using 127.0.0.1:1234
[New Remote target]
[Switching to Remote target]
0x00008150 in _start ()
(gdb) break *0x82b0
Breakpoint 1 at 0x82b0
(gdb) set args 12345
(gdb) show args
Argument list to give program being debugged when it is started is "12345".
(gdb) r
The "remote" target does not support "run". Try "help target" or "continue".
(gdb) c
Continuing.
Breakpoint 1, 0x000082b0 in main ()
(gdb) x /12i $pc
=> 0x82b0 <main+32>: bgt 0x82c0 <main+48>
0x82b4 <main+36>: mvn r3, #0
0x82b8 <main+40>: str r3, [r11, #-48] ; 0x30
0x82bc <main+44>: b 0x8448 <main+440>
0x82c0 <main+48>: mov r3, #0
0x82c4 <main+52>: str r3, [r11, #-28]
0x82c8 <main+56>: mov r0, #32
0x82cc <main+60>: bl 0x8248 <xmalloc>
0x82d0 <main+64>: mov r3, r0
0x82d4 <main+68>: str r3, [r11, #-32]
0x82d8 <main+72>: b 0x832c <main+156>
0x82dc <main+76>: ldr r3, [r11, #-28]
(gdb) si
0x000082b4 in main ()
我的论点似乎没有被采纳,因为代码通常应该跳到0x82c0,但它跳到了0x82b4。
知道吗?提前感谢您的投入。
我找到了!arg应按如下方式传递给qemu:
$ qemu-arm -g 1234 ./chall9.bin 12345