跳转至

工具

toolchain编译完后可以得到很多工具。在build-binutils-linux/binutils目录下可以看到很多支持RISC-V的工具,最有用的是readelf和objdump

我们以2019rctf的asm为例题

readelf

使用命令:

1
./readelf -a asm

可以查看全部的信息。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           RISC-V
  Version:                           0x1
  Entry point address:               0x100b0
  Start of program headers:          64 (bytes into file)
  Start of section headers:          60984 (bytes into file)
  Flags:                             0x5, RVC, double-float ABI
  Size of this header:               64 (bytes)
  Size of program headers:           56 (bytes)
  Number of program headers:         2
  Size of section headers:           64 (bytes)
  Number of section headers:         12
  Section header string table index: 11

Section Headers:
  [Nr] Name              Type             Address           Offset
       Size              EntSize          Flags  Link  Info  Align
  [ 0]                   NULL             0000000000000000  00000000
       0000000000000000  0000000000000000           0     0     0
  [ 1] .text             PROGBITS         00000000000100b0  000000b0
       000000000000ce48  0000000000000000  AX       0     0     2
  [ 2] .rodata           PROGBITS         000000000001cf00  0000cf00
       0000000000000c88  0000000000000000   A       0     0     16
  [ 3] .eh_frame         PROGBITS         000000000001eb88  0000db88
       0000000000000004  0000000000000000  WA       0     0     4
  [ 4] .init_array       INIT_ARRAY       000000000001eb90  0000db90
       0000000000000008  0000000000000008  WA       0     0     8
  [ 5] .fini_array       FINI_ARRAY       000000000001eb98  0000db98
       0000000000000008  0000000000000008  WA       0     0     8
  [ 6] .data             PROGBITS         000000000001eba0  0000dba0
       0000000000001194  0000000000000000  WA       0     0     8
  [ 7] .sdata            PROGBITS         000000000001fd38  0000ed38
       0000000000000090  0000000000000000  WA       0     0     8
  [ 8] .sbss             NOBITS           000000000001fdc8  0000edc8
       0000000000000028  0000000000000000  WA       0     0     8
  [ 9] .bss              NOBITS           000000000001fdf0  0000edc8
       0000000000000068  0000000000000000  WA       0     0     8
  [10] .comment          PROGBITS         0000000000000000  0000edc8
       0000000000000011  0000000000000001  MS       0     0     1
  [11] .shstrtab         STRTAB           0000000000000000  0000edd9
       000000000000005c  0000000000000000           0     0     1
Key to Flags:
  W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
  L (link order), O (extra OS processing required), G (group), T (TLS),
  C (compressed), x (unknown), o (OS specific), E (exclude),
  p (processor specific)

There are no section groups in this file.

Program Headers:
  Type           Offset             VirtAddr           PhysAddr
                 FileSiz            MemSiz              Flags  Align
  LOAD           0x0000000000000000 0x0000000000010000 0x0000000000010000
                 0x000000000000db88 0x000000000000db88  R E    0x1000
  LOAD           0x000000000000db88 0x000000000001eb88 0x000000000001eb88
                 0x0000000000001240 0x00000000000012d0  RW     0x1000

 Section to Segment mapping:
  Segment Sections...
   00     .text .rodata
   01     .eh_frame .init_array .fini_array .data .sdata .sbss .bss

There is no dynamic section in this file.

There are no relocations in this file.

The decoding of unwind sections for machine type RISC-V is not currently supported.

No version information found in this file.

我们比较关心的是各个节区的起始地址

objdump

作为一款"强大"的反汇编工具,objdump是必不可少的:

1
./objdump -d asm > disasm.txt

于是我们就能得到RISC-V的汇编了。

接下来就是打开指令手册,慢慢审计了

后续更新计划(深坑):

尝试搭建RISC-V调试环境,试图使用gdb调试。

评论