```shell ┌──(kali㉿kali)-[~/code] └─$ file debugger0_a debugger0_a: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=15a10290db2cd2ec0c123cf80b88ed7d7f5cf9ff, for GNU/Linux 3.2.0, not stripped ``` ▲ from this, we can know that this is an [ELF](https://hackmd.io/dZ29HoB9Q4qJAfQ4-mXtiw#ELF) so we are going to use gdb to disassemble it ```shell ┌──(kali㉿kali)-[~/code] └─$ gdb debugger0_a GNU gdb (Debian 13.2-1) 13.2 Copyright (C) 2023 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <https://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from debugger0_a... (No debugging symbols found in debugger0_a) gdb-peda$ info function All defined functions: Non-debugging symbols: 0x0000000000001000 _init 0x0000000000001030 __cxa_finalize@plt 0x0000000000001040 _start 0x0000000000001070 deregister_tm_clones 0x00000000000010a0 register_tm_clones 0x00000000000010e0 __do_global_dtors_aux 0x0000000000001120 frame_dummy 0x0000000000001129 main 0x0000000000001140 __libc_csu_init 0x00000000000011b0 __libc_csu_fini 0x00000000000011b8 _fini ``` Hint: *main is actually a recognized symbol that can be used with gdb commands.* , so we are going to disassemble `main` ```shell gdb-peda$ disas main Dump of assembler code for function main: 0x0000000000001129 <+0>: endbr64 0x000000000000112d <+4>: push rbp 0x000000000000112e <+5>: mov rbp,rsp 0x0000000000001131 <+8>: mov DWORD PTR [rbp-0x4],edi 0x0000000000001134 <+11>: mov QWORD PTR [rbp-0x10],rsi 0x0000000000001138 <+15>: mov eax,0x86342 0x000000000000113d <+20>: pop rbp 0x000000000000113e <+21>: ret End of assembler dump. ``` from this line: `0x0000000000001138 <+15>: mov eax,0x86342`, we can know **0x86342** is in the eax register, so we can use Python to convert it from hex to dec ```shell ┌──(kali㉿kali)-[~] └─$ python3 Python 3.11.2 (main, Mar 13 2023, 12:18:29) [GCC 12.2.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> 0x86342 549698 ``` ## notes: - 反組譯器（**disassemble**r）是一種將**機器語言轉換為組合語言**的電腦程式