ELF binary # readelf -a foo.out ELF Header: Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 Class: ELF32 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: EXEC (Executable file) Machine: Intel 80386 Version: 0x1 Entry point address: 0x8048720 Start of program headers: 52 (bytes into file) Start of section headers: 3744 (bytes into file) Flags: 0x0 Size of this header: 52 (bytes) Size of program headers: 32 (bytes) Number of program headers: 8 Size of section headers: 40 (bytes) Number of section headers: 32 Section header string table index: 29 Dynamic section at offset 0xbfc contains 28 entries: Tag Type Name/Value 0x00000001 (NEEDED) Shared library: [libstdc++.so.6] 0x00000001 (NEEDED) Shared library: [libm.so.6] 0x00000001 (NEEDED) Shared library: [libgcc_s.so.1] 0x00000001 (NEEDED) Shared library: [libc.so.6] Symbol table '.dynsym' contains 18 entries: Num: Value Size Type Bind Vis Ndx Name 0: 00000000 0 NOTYPE LOCAL DEFAULT UND 1: 00000000 0 FUNC GLOBAL DEFAULT UND open@GLIBC_2.0 (2) 2: 00000000 0 FUNC GLOBAL DEFAULT UND __cxa_atexit@GLIBC_2.1.3 (3) 3: 00000000 0 NOTYPE WEAK DEFAULT UND __gmon_start__ 4: 00000000 0 NOTYPE WEAK DEFAULT UND _Jv_RegisterClasses

Print Me echo "set disassembly-flavor intel" > ~/.gdbinit (gdb) disassemble /rm main Dump of assembler code for function main(int, char**): 2 int main(int argc, char *argv[]) { 0x080483e4 <+0>: 55 push ebp 0x080483e5 <+1>: 89 e5 mov ebp,esp 0x080483e7 <+3>: 83 e4 f0 and esp,0xfffffff0 0x080483ea <+6>: 83 ec 10 sub esp,0x10 3 printf(argv[1]); 0x080483ed <+9>: 8b 45 0c mov eax,DWORD PTR [ebp+0xc] 0x080483f0 <+12>: 83 c0 04 add eax,0x4 0x080483f3 <+15>: 8b 00 mov eax,DWORD PTR [eax] 0x080483f5 <+17>: 89 04 24 mov DWORD PTR [esp],eax 0x080483f8 <+20>: e8 03 ff ff ff call 0x8048300 <printf@plt> 0x080483fd <+25>: b8 00 00 00 00 mov eax,0x0 4 } 0x08048402 <+30>: c9 leave 0x08048403 <+31>: c3 ret End of assembler dump. Iostream -> cstdio more properly

Hello World! - assembly ; from Hacking: The art of Exploitation by Jon Erickson BITS 32 call mark_below ; instructions below db "Hello, world!", 0x0a, 0x0d ; add newline/cr to end mark_below: pop ecx ; pop the return address into ecx ;; this should be the string ptr mov eax, 4 ; write system call #4 (write) mov ebx, 1 ; STDOUT file descriptor mov edx, 15 ; the length of the string int 0x80 ; do syscall: write(1,string,15) ;; exit properly mov eax, 1 ; syscall #1 (exit) mov ebx, 0 ; status result = 0 int 0x80 ; do syscall: exit(0)

Hello World! - assembly $ ndisasm –b 32 hello ; from Hacking: The art of Exploitation by Jon Erickson BITS 32 call mark_below ; instructions below db "Hello, world!", 0x0a, 0x0d ; add newline mark_below: pop ecx ; pop the return … ecx ;; this should be the string ptr mov eax, 4 ; write system call #4 (write) mov ebx, 1 ; STDOUT file descriptor mov edx, 15 ; the length of the string int 0x80 ; do syscall: write(1,string,15?) ;; exit properly mov eax, 1 ; syscall #1 (exit) mov ebx, 0 ; status result = 0 int 0x80 ; do syscall: exit(0) $ ndisasm –b 32 hello 00000000 E80F000000 call dword 0x14 00000005 48 dec eax 00000006 656C gs insb 00000008 6C insb 00000009 6F outsd 0000000A 2C20 sub al,0x20 0000000C 776F ja 0x7d 0000000E 726C jc 0x7c 00000010 64210A and [fs:edx],ecx 00000013 0D59B80400 or eax,0x4b859 00000018 0000 add [eax],al 0000001A BB01000000 mov ebx,0x1 0000001F BA0F000000 mov edx,0xf 00000024 CD80 int 0x80 00000026 B801000000 mov eax,0x1 0000002B BB00000000 mov ebx,0x0 00000030 CD80 int 0x80

Reversing

Frame Setup arithmetic if comparison continue if not < (gdb) disassemble /m main Dump of assembler code for function main(): 4 int main() { 0x0804848c <+0>: push ebp 0x0804848d <+1>: mov ebp,esp 0x0804848f <+3>: sub esp,0x10 5 int count; 6 7 y=y+3; 0x08048492 <+6>: mov eax,ds:0x8049744 0x08048497 <+11>: add eax,0x3 0x0804849a <+14>: mov ds:0x8049744,eax 8 x=x+y; 0x0804849f <+19>: mov edx,DWORD PTR ds:0x8049740 0x080484a5 <+25>: mov eax,ds:0x8049744 0x080484aa <+30>: add eax,edx 0x080484ac <+32>: mov ds:0x8049740,eax 9 if (x<y) 0x080484b1 <+37>: mov edx,DWORD PTR ds:0x8049740 0x080484b7 <+43>: mov eax,ds:0x8049744 0x080484bc <+48>: cmp edx,eax 0x080484be <+50>: jge 0x80484ca <main()+62> 10 x=1; 0x080484c0 <+52>: mov DWORD PTR ds:0x8049740,0x1 Frame Setup arithmetic if comparison continue if not <

global variable - memory loops local variable - stack 11 12 for (count=1; count<10; count++) 0x080484ca <+62>: mov DWORD PTR [ebp-0x4],0x1 0x080484d1 <+69>: jmp 0x80484e4 <main()+88> 0x080484e0 <+84>: add DWORD PTR [ebp-0x4],0x1 0x080484e4 <+88>: cmp DWORD PTR [ebp-0x4],0x9 0x080484e8 <+92>: setle al 0x080484eb <+95>: test al,al 0x080484ed <+97>: jne 0x80484d3 <main()+71> 13 x++; 0x080484d3 <+71>: mov eax,ds:0x8049740 0x080484d8 <+76>: add eax,0x1 0x080484db <+79>: mov ds:0x8049740,eax 14 } 0x080484ef <+99>: mov eax,0x0 0x080484f4 <+104>: leave // count=1 // count++ // compare count to 9 // al=1 if count<=9 // al & al (set flags) global variable - memory