Open3
x86_64 でC言語の関数呼び出しを眺めてみる
hassaku63CTF の pwnable でオーバーフローを狙った攻撃を組む雰囲気の問題があったので呼び出し規約を勉強。
参考:
hassaku63こちらの記事にかかれているコードをなぞっていく
環境
$ uname -a
Linux ip-172-31-29-195 5.4.0-1024-aws #24-Ubuntu SMP Sat Sep 5 06:19:55 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.1 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.1 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
サンプルコード
// sample.c
#include<stdio.h>
int add(int a, int b, int c);
int main(){
int x,y,z;
int sum;
x = 2;
y = 3;
z = 5;
printf("x = %d, y = %d, z = %d\n", x, y, z);
sum = add(x,y,z);
printf("x + y + z = %d\n",sum);
return 0;
}
int add(int a, int b, int c){
return a + b + c;
}
x86_64 でコンパイルする
$ gcc main.c -o main
radare2 で見てみる。
r2 main
[0x00001060]> aa
INFO: Analyze all flags starting with sym. and entry0 (aa)
INFO: Analyze all functions arguments/locals (afva@@@F)
[0x00001060]> is
[Symbols]
nth paddr vaddr bind type size lib name demangled
―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
1 0x00000318 0x00000318 LOCAL SECT 0 .interp
2 0x00000338 0x00000338 LOCAL SECT 0 .note.gnu.property
3 0x00000358 0x00000358 LOCAL SECT 0 .note.gnu.build-id
4 0x0000037c 0x0000037c LOCAL SECT 0 .note.ABI-tag
5 0x000003a0 0x000003a0 LOCAL SECT 0 .gnu.hash
6 0x000003c8 0x000003c8 LOCAL SECT 0 .dynsym
7 0x00000470 0x00000470 LOCAL SECT 0 .dynstr
8 0x000004f4 0x000004f4 LOCAL SECT 0 .gnu.version
9 0x00000508 0x00000508 LOCAL SECT 0 .gnu.version_r
10 0x00000528 0x00000528 LOCAL SECT 0 .rela.dyn
11 0x000005e8 0x000005e8 LOCAL SECT 0 .rela.plt
12 0x00001000 0x00001000 LOCAL SECT 0 .init
13 0x00001020 0x00001020 LOCAL SECT 0 .plt
14 0x00001040 0x00001040 LOCAL SECT 0 .plt.got
15 0x00001050 0x00001050 LOCAL SECT 0 .plt.sec
16 0x00001060 0x00001060 LOCAL SECT 0 .text
17 0x00001258 0x00001258 LOCAL SECT 0 .fini
18 0x00002000 0x00002000 LOCAL SECT 0 .rodata
19 0x0000202c 0x0000202c LOCAL SECT 0 .eh_frame_hdr
20 0x00002078 0x00002078 LOCAL SECT 0 .eh_frame
21 0x00002db8 0x00003db8 LOCAL SECT 0 .init_array
22 0x00002dc0 0x00003dc0 LOCAL SECT 0 .fini_array
23 0x00002dc8 0x00003dc8 LOCAL SECT 0 .dynamic
24 0x00002fb8 0x00003fb8 LOCAL SECT 0 .got
25 0x00003000 0x00004000 LOCAL SECT 0 .data
26 ---------- 0x00004010 LOCAL SECT 0 .bss
27 0x00000000 0x00000000 LOCAL SECT 0 .comment
28 0x00000000 0x00000000 LOCAL FILE 0 crtstuff.c
29 0x00001090 0x00001090 LOCAL FUNC 0 deregister_tm_clones
30 0x000010c0 0x000010c0 LOCAL FUNC 0 register_tm_clones
31 0x00001100 0x00001100 LOCAL FUNC 0 __do_global_dtors_aux
32 ---------- 0x00004010 LOCAL OBJ 1 completed.8060
33 0x00002dc0 0x00003dc0 LOCAL OBJ 0 __do_global_dtors_aux_fini_array_entry
34 0x00001140 0x00001140 LOCAL FUNC 0 frame_dummy
35 0x00002db8 0x00003db8 LOCAL OBJ 0 __frame_dummy_init_array_entry
36 0x00000000 0x00000000 LOCAL FILE 0 main.c
37 0x00000000 0x00000000 LOCAL FILE 0 crtstuff.c
38 0x0000219c 0x0000219c LOCAL OBJ 0 __FRAME_END__
39 0x00000000 0x00000000 LOCAL FILE 0
40 0x00002dc0 0x00003dc0 LOCAL NOTYPE 0 __init_array_end
41 0x00002dc8 0x00003dc8 LOCAL OBJ 0 _DYNAMIC
42 0x00002db8 0x00003db8 LOCAL NOTYPE 0 __init_array_start
43 0x0000202c 0x0000202c LOCAL NOTYPE 0 __GNU_EH_FRAME_HDR
44 0x00002fb8 0x00003fb8 LOCAL OBJ 0 _GLOBAL_OFFSET_TABLE_
45 0x00001000 0x00001000 LOCAL FUNC 0 _init
46 0x00001250 0x00001250 GLOBAL FUNC 5 __libc_csu_fini
48 0x00003000 0x00004000 WEAK NOTYPE 0 data_start
49 0x000011b8 0x000011b8 GLOBAL FUNC 32 add
50 ---------- 0x00004010 GLOBAL NOTYPE 0 _edata
51 0x00001258 0x00001258 GLOBAL FUNC 0 _fini
54 0x00003000 0x00004000 GLOBAL NOTYPE 0 __data_start
56 0x00003008 0x00004008 GLOBAL OBJ 0 __dso_handle
57 0x00002000 0x00002000 GLOBAL OBJ 4 _IO_stdin_used
58 0x000011e0 0x000011e0 GLOBAL FUNC 101 __libc_csu_init
59 ---------- 0x00004018 GLOBAL NOTYPE 0 _end
60 0x00001060 0x00001060 GLOBAL FUNC 47 _start
61 ---------- 0x00004010 GLOBAL NOTYPE 0 __bss_start
62 0x00001149 0x00001149 GLOBAL FUNC 111 main
63 ---------- 0x00004010 GLOBAL OBJ 0 __TMC_END__
1 0x00000000 0x00000000 WEAK NOTYPE 16 imp._ITM_deregisterTMCloneTable
2 0x00001050 0x00001050 GLOBAL FUNC 16 imp.printf
3 0x00000000 0x00000000 GLOBAL FUNC 16 imp.__libc_start_main
4 0x00000000 0x00000000 WEAK NOTYPE 16 imp.__gmon_start__
5 0x00000000 0x00000000 WEAK NOTYPE 16 imp._ITM_registerTMCloneTable
6 0x00000000 0x00000000 WEAK FUNC 16 imp.__cxa_finalize
[0x00001060]> s main
[0x00001149]> pdf
; DATA XREF from entry0 @ 0x1081(r)
┌ 111: int main (int argc, char **argv, char **envp);
│ ; var int64_t var_4h @ rbp-0x4
│ ; var int64_t var_8h @ rbp-0x8
│ ; var int64_t var_ch @ rbp-0xc
│ ; var int64_t var_10h @ rbp-0x10
│ 0x00001149 f30f1efa endbr64
│ 0x0000114d 55 push rbp
│ 0x0000114e 4889e5 mov rbp, rsp
│ 0x00001151 4883ec10 sub rsp, 0x10
│ 0x00001155 c745f0020000. mov dword [var_10h], 2
│ 0x0000115c c745f4030000. mov dword [var_ch], 3
│ 0x00001163 c745f8050000. mov dword [var_8h], 5
│ 0x0000116a 8b4df8 mov ecx, dword [var_8h]
│ 0x0000116d 8b55f4 mov edx, dword [var_ch]
│ 0x00001170 8b45f0 mov eax, dword [var_10h]
│ 0x00001173 89c6 mov esi, eax
│ 0x00001175 488d3d880e00. lea rdi, str.x___d__y___d__z___d_n ; 0x2004 ; "x = %d, y = %d, z = %d\n"
│ 0x0000117c b800000000 mov eax, 0
│ 0x00001181 e8cafeffff call sym.imp.printf ; int printf(const char *format)
│ 0x00001186 8b55f8 mov edx, dword [var_8h]
│ 0x00001189 8b4df4 mov ecx, dword [var_ch]
│ 0x0000118c 8b45f0 mov eax, dword [var_10h]
│ 0x0000118f 89ce mov esi, ecx
│ 0x00001191 89c7 mov edi, eax
│ 0x00001193 e820000000 call sym.add
│ 0x00001198 8945fc mov dword [var_4h], eax
│ 0x0000119b 8b45fc mov eax, dword [var_4h]
│ 0x0000119e 89c6 mov esi, eax
│ 0x000011a0 488d3d750e00. lea rdi, str.x__y__z___d_n ; 0x201c ; "x + y + z = %d\n"
│ 0x000011a7 b800000000 mov eax, 0
│ 0x000011ac e89ffeffff call sym.imp.printf ; int printf(const char *format)
│ 0x000011b1 b800000000 mov eax, 0
│ 0x000011b6 c9 leave
└ 0x000011b7 c3 ret