출처 : http://aimbots.net/tutorials/9276-how-get-op-codes.html
Assuming you need an OP-code for a specific assembler instruction (for example an x64 instruction, to overwrite C-Code.)
One way to find the OP-code is to read the Intel Developer's manual.
Unfortunately, this takes very long, and almost never leads to the right finding.
So here is the fast way, the gdb way.
Let's assume we want the OP code for jmp rel32, and for call
The way to do this is to write a tiny assembler program.
save as lookup.gas
Compile:
Now, open it in gdb:
gdb lookup
--> JMP REL32 = 0xE9
--> CALL = 0xE8
One way to find the OP-code is to read the Intel Developer's manual.
Unfortunately, this takes very long, and almost never leads to the right finding.
So here is the fast way, the gdb way.
Let's assume we want the OP code for jmp rel32, and for call
The way to do this is to write a tiny assembler program.
Code:
.section .data
text: .ascii "hello\n"
.section .text
.globl _start
_start:
jmp 10000000
call 7500000
movl $4, %eax
movl $1, %ebx
movl $text, %ecx
movl $6, %edx
int $0x80
exit:
movl $1, %eax
movl $0, %ebx
int $0x80 #linux equivalent to int 21hCompile:
Code:
as lookup.gas -o lookup.o ld -o lookup lookup.o
gdb lookup
gdb lookup
GNU gdb 6.8-debian
Copyright © 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(no debugging symbols found)
(gdb) disas _start
Dump of assembler code for function _start:
0x08048074 <_start+0>: jmp 0x989680
0x08048079 <_start+5>: call 0x7270e0
0x0804807e <_start+10>: mov $0x4,%eax
0x08048083 <_start+15>: mov $0x1,%ebx
0x08048088 <_start+20>: mov $0x80490a0,%ecx
0x0804808d <_start+25>: mov $0x6,%edx
0x08048092 <_start+30>: int $0x80
End of assembler dump.
(gdb) x/bx _start+0
0x8048074 <_start>: 0xe9
(gdb) x/bx _start+5
0x8048079 <_start+5>: 0xe8
(gdb) q
GNU gdb 6.8-debian
Copyright © 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(no debugging symbols found)
(gdb) disas _start
Dump of assembler code for function _start:
0x08048074 <_start+0>: jmp 0x989680
0x08048079 <_start+5>: call 0x7270e0
0x0804807e <_start+10>: mov $0x4,%eax
0x08048083 <_start+15>: mov $0x1,%ebx
0x08048088 <_start+20>: mov $0x80490a0,%ecx
0x0804808d <_start+25>: mov $0x6,%edx
0x08048092 <_start+30>: int $0x80
End of assembler dump.
(gdb) x/bx _start+0
0x8048074 <_start>: 0xe9
(gdb) x/bx _start+5
0x8048079 <_start+5>: 0xe8
(gdb) q
--> CALL = 0xE8
WRITTEN BY
- RootFriend
개인적으로... 나쁜 기억력에 도움되라고 만들게되었습니다.
,
