当前位置: 文江博客话题详情

获取操作码的简单方法

发布于 2024-10-13 04:38:42 字数 140 浏览 7 评论 0原文

我知道如何从可执行文件中获取操作码和相应的汇编语法;然而,有没有一种简单的方法可以单独获取特定汇编指令的操作码,而无需使用相同的程序编写程序,然后手动链接和加载它并对可执行文件执行 objdump?

有没有一种简单的方法可以找到特定指令对应的操作码?

原文

I know how to get the opcodes and the corresponding assembly syntax from an executable; however is there an easy way to get the opcodes of a particular assembly instruction alone, without writing a program using the same and then, manually linking and loading it and doing an objdump on the executable?

Is there a simple way to find the corresponding opcodes of a particular instruction?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

许一世地老天荒 2024-10-20 04:38:42

您可以使用 gdb(GNU 调试器)的 x/bx 命令。

我在这里做了一个教程:
<删除>
http://aimbots.net/tutorials/9276-how-get-操作码.html

http://aimbots.net/threads/9276-How-to-get-OP-codes

https://web.archive.org/web/20180814185730/http://aimbots.net /threads/9276-How-to-get-OP-codes

TL;DR;404

假设您需要特定汇编指令的 OP 代码(例如 x64 指令,以覆盖 C 代码。)

一查找操作码的方法是阅读英特尔开发人员手册。
不幸的是,这需要很长时间,而且几乎永远不会导致正确的发现。

所以这是快速的方法,gdb 方法。

假设我们想要 jmp rel32 和 call 的 OP 代码

。实现这一点的方法是编写一个小型汇编程序。

.section .data
text: .ascii "hello\n"
.section .text
.globl _start
_start:
    jmp 10000000
    call 7500000
    movl $4, %eax
    movl $1, %ebx
    movl $text, %ecx
    movl $6, %edx
    int $0x80
exit:
    movl $1, %eax
    movl $0, %ebx
    int $0x80 #linux equivalent to int 21h

保存为lookup.gas

编译:

as lookup.gas -o lookup.o
ld -o lookup lookup.o

现在,在gdb中打开它:
gdb 查找

gdb lookup
GNU gdb 6.8-debian
Copyright © 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(no debugging symbols found)
(gdb) disas _start
Dump of assembler code for function _start:
0x08048074 <_start+0>: jmp 0x989680
0x08048079 <_start+5>: call 0x7270e0
0x0804807e <_start+10>: mov $0x4,%eax
0x08048083 <_start+15>: mov $0x1,%ebx
0x08048088 <_start+20>: mov $0x80490a0,%ecx
0x0804808d <_start+25>: mov $0x6,%edx
0x08048092 <_start+30>: int $0x80
End of assembler dump.
(gdb) x/bx _start+0
0x8048074 <_start>: 0xe9
(gdb) x/bx _start+5
0x8048079 <_start+5>: 0xe8
(gdb) q

--> JMP REL32 = 0xE9y
--> CALL = 0xE8

由于 gdb & GAS 在 Windoze 上也可用,您也可以在那里进行...

PS:如果您不喜欢 AT&T 汇编器语法:

; yasm -f elf32 jmprel32.nasm -o jmprel32.o
; ld -o jmprel32 jmprel32.o

; or

; nasm -f elf jmprel32.nasm
; ld -s -o jmprel32 jmprel32.o


section .data

section .text
    global _start

_start:
    jmp exit
    jmp 1234567890
    call 1234567890
exit:
    mov eax,1           ; The system call for exit (sys_exit)
    xor ebx,ebx         ; Exit with return code of 0 (no error)
    int 80h

等等

GNU gdb 6.8-debian
Copyright © 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(no debugging symbols found)
(gdb) disas _start
Dump of assembler code for function _start:
0x08048060 <_start+0>: jmp 0x804806c <_start+12>
0x08048062 <_start+2>: jmp 0x519a8334
0x08048067 <_start+7>: call 0x519a8339
0x0804806c <_start+12>: mov $0x1,%eax
0x08048071 <_start+17>: xor %ebx,%ebx
0x08048073 <_start+19>: int $0x80
End of assembler dump.
(gdb) x/bx _start+2
0x8048062 <_start+2>: 0xe9
(gdb) x/bx _start+7
0x8048067 <_start+7>: 0xe8
(gdb) x/bx _start+0
0x8048060 <_start>: 0xeb
(gdb) q

或者您可以

objdump -drwC -Mintel lookup.o

使用整个指令的十六进制机器代码(带字节)进行反汇编空间分离。

You can use gdb's (GNU Debugger's) x/bx command.

I made a tutorial here:

http://aimbots.net/tutorials/9276-how-get-op-codes.html

http://aimbots.net/threads/9276-How-to-get-OP-codes

https://web.archive.org/web/20180814185730/http://aimbots.net/threads/9276-How-to-get-OP-codes

TL;DR;404

Assuming you need an OP-code for a specific assembler instruction (for example an x64 instruction, to overwrite C-Code.)

One way to find the OP-code is to read the Intel Developer's manual.
Unfortunately, this takes very long, and almost never leads to the right finding.

So here is the fast way, the gdb way.

Let's assume we want the OP code for jmp rel32, and for call

The way to do this is to write a tiny assembler program.

.section .data
text: .ascii "hello\n"
.section .text
.globl _start
_start:
    jmp 10000000
    call 7500000
    movl $4, %eax
    movl $1, %ebx
    movl $text, %ecx
    movl $6, %edx
    int $0x80
exit:
    movl $1, %eax
    movl $0, %ebx
    int $0x80 #linux equivalent to int 21h

save as lookup.gas

Compile:

as lookup.gas -o lookup.o
ld -o lookup lookup.o

Now, open it in gdb:
gdb lookup

gdb lookup
GNU gdb 6.8-debian
Copyright © 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(no debugging symbols found)
(gdb) disas _start
Dump of assembler code for function _start:
0x08048074 <_start+0>: jmp 0x989680
0x08048079 <_start+5>: call 0x7270e0
0x0804807e <_start+10>: mov $0x4,%eax
0x08048083 <_start+15>: mov $0x1,%ebx
0x08048088 <_start+20>: mov $0x80490a0,%ecx
0x0804808d <_start+25>: mov $0x6,%edx
0x08048092 <_start+30>: int $0x80
End of assembler dump.
(gdb) x/bx _start+0
0x8048074 <_start>: 0xe9
(gdb) x/bx _start+5
0x8048079 <_start+5>: 0xe8
(gdb) q

--> JMP REL32 = 0xE9y
--> CALL = 0xE8

Since gdb & GAS are available on Windoze, too, you can also do it there...

PS: If you don't like AT&T assembler syntax:

; yasm -f elf32 jmprel32.nasm -o jmprel32.o
; ld -o jmprel32 jmprel32.o

; or

; nasm -f elf jmprel32.nasm
; ld -s -o jmprel32 jmprel32.o


section .data

section .text
    global _start

_start:
    jmp exit
    jmp 1234567890
    call 1234567890
exit:
    mov eax,1           ; The system call for exit (sys_exit)
    xor ebx,ebx         ; Exit with return code of 0 (no error)
    int 80h

And so

GNU gdb 6.8-debian
Copyright © 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(no debugging symbols found)
(gdb) disas _start
Dump of assembler code for function _start:
0x08048060 <_start+0>: jmp 0x804806c <_start+12>
0x08048062 <_start+2>: jmp 0x519a8334
0x08048067 <_start+7>: call 0x519a8339
0x0804806c <_start+12>: mov $0x1,%eax
0x08048071 <_start+17>: xor %ebx,%ebx
0x08048073 <_start+19>: int $0x80
End of assembler dump.
(gdb) x/bx _start+2
0x8048062 <_start+2>: 0xe9
(gdb) x/bx _start+7
0x8048067 <_start+7>: 0xe8
(gdb) x/bx _start+0
0x8048060 <_start>: 0xeb
(gdb) q

Or you can

objdump -drwC -Mintel lookup.o

to get disassembly with hex machine code for the whole instruction, with bytes space-separated.

回复 原文
掌心的温暖 2024-10-20 04:38:42

对于 x86,您可以在 Intel 手册 (第 1 部分 (AM) 中查找它们第 2 部分(新西兰))。不,我不知道为什么手册分为两部分。

For x86, you can just look them up in the Intel Manual (Part 1 (A-M), Part 2 (N-Z)). And no, I don't know why the manual is split in 2 parts.

回复 原文
黒涩兲箜 2024-10-20 04:38:42

我不久前问过类似的问题(DOS 调试类似程序32 位 x86 程序集)。

有人好心地为我提供了一个自动脚本来执行此操作。您可以点击问题链接,或参考他们在下面提供给我的脚本...

opcode() {
  echo $* > tmp.S && nasm tmp.S -o tmp.o && od -x tmp.o
  rm -f tmp.o tmp.S
}

希望这会有所帮助。

I asked a similar question a while back (DOS debug like program for 32-bit x86 assembly).

Someone was kind enough to provide me with an automated script to do this. You can follow the link to question, or refer to the script they provided to me below ...

opcode() {
  echo $* > tmp.S && nasm tmp.S -o tmp.o && od -x tmp.o
  rm -f tmp.o tmp.S
}

Hope this helps.

回复 原文
落墨 2024-10-20 04:38:42

X86 操作码和指令参考 包含一堆 32 位和 64 上的指令参考表及其相应的操作码位 x86 处理器。

X86 Opcode and Instruction Reference contains a bunch of reference tables of instructions and their corresponding opcodes on both 32-bit and 64-bit x86 processors.

回复 原文
可爱咩 2024-10-20 04:38:42

我不确定你为什么想要操作码。但如果它用于漏洞利用开发,您可能已经拥有metasploit,它附带了一个非常有用的ruby 脚本,名为nasm_shell.rb(在工具目录中)。

您键入的每一行都会以正确操作码的 ascii 十六进制表示形式出现。

如果出于其他目的,或者您不希望像metasploit这样的重量级工具包因某种原因而存在,您可以直接拉出脚本并安装其依赖项。它使用 Rex 并假设已安装 nasm。

如果你想修改它,你需要的实际代码只是函数 shell.run 中的几行

I'm not sure why you want opcodes. But if its for exploit development you probably already have metasploit which comes with a really useful ruby script called nasm_shell.rb (in the tools directory).

Each line you type comes out as an ascii hex representation of the correct opcodes.

If its for some other purpose or you don't want some heavyweight toolkit like metasploit hanging around for whatever reason, you can just pull out the script and install its dependencies. It uses Rex and assumes nasm is installed.

If you want to adapt it the actual code you need is just a few lines in the function shell.run

回复 原文
~没有更多了~

关于作者

╰ゝ天使的微笑

暂无简介

文章
评论
24 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

琉璃梦幻

文章 0 评论 0

qq_4zWU6L

文章 0 评论 0

话少情深

文章 0 评论 0

西西弗的石头怪

文章 0 评论 0

彻夜缠绵

文章 0 评论 0

千寻…

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文