From bbf32efa60fb85a3c660c8e7a651bf99ad60b157 Mon Sep 17 00:00:00 2001 From: camera-2018 <2907618001@qq.com> Date: Wed, 19 Jul 2023 21:10:24 +0800 Subject: [PATCH] chore: update cos link --- .../6.2.1基础工具的使用.md | 66 +++++++++---------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/6.计算机安全/6.2.1基础工具的使用.md b/6.计算机安全/6.2.1基础工具的使用.md index 28f87bd..bb84678 100644 --- a/6.计算机安全/6.2.1基础工具的使用.md +++ b/6.计算机安全/6.2.1基础工具的使用.md @@ -12,7 +12,7 @@ IDA pro 是收费软件,价格极其昂贵,一套完全版人民币 10W 左 ## 0x00 IDA 简单介绍 -![](https://blog-t0hka.oss-cn-hangzhou.aliyuncs.com/img/image-20220809113855166.png) +![](https://pic-hdu-cs-wiki-1307923872.cos.ap-shanghai.myqcloud.com/image-20220809113855166.png) IDA是一款交互式反汇编和反编译工具,其支持文件类型和文件平台丰富。 @@ -20,7 +20,7 @@ IDA是一款交互式反汇编和反编译工具,其支持文件类型和文 ## 0x01 启动界面 -![](https://blog-t0hka.oss-cn-hangzhou.aliyuncs.com/img/image-20220809114834244.png) +![](https://pic-hdu-cs-wiki-1307923872.cos.ap-shanghai.myqcloud.com/image-20220809114834244.png) ``` NEW:打开IDA同时弹出对话框选择要打开的文件 @@ -30,15 +30,15 @@ Previous,或者下面的列表项:快速打开之前的的文件 这里选择Go键,打开以后,将文件拖入 -![](https://blog-t0hka.oss-cn-hangzhou.aliyuncs.com/img/image-20220809124156697.png) +![](https://pic-hdu-cs-wiki-1307923872.cos.ap-shanghai.myqcloud.com/image-20220809124156697.png) -![](https://blog-t0hka.oss-cn-hangzhou.aliyuncs.com/img/image-20220809124408179.png) +![](https://pic-hdu-cs-wiki-1307923872.cos.ap-shanghai.myqcloud.com/image-20220809124408179.png) 这里按我们的默认选项点击OK即可 ## 0x02 关闭界面 -![](https://blog-t0hka.oss-cn-hangzhou.aliyuncs.com/img/image-20220809125554853.png) +![](https://pic-hdu-cs-wiki-1307923872.cos.ap-shanghai.myqcloud.com/image-20220809125554853.png) ``` 第一个选项:就是不打包数据包文件,那么这些数据库文件就会分开这放。 @@ -53,15 +53,15 @@ Previous,或者下面的列表项:快速打开之前的的文件 反汇编代码的图表窗口 -![](https://blog-t0hka.oss-cn-hangzhou.aliyuncs.com/img/image-20220809130857159.png) +![](https://pic-hdu-cs-wiki-1307923872.cos.ap-shanghai.myqcloud.com/image-20220809130857159.png) 按**空格键**切换成文本结构的反汇编 -![](https://blog-t0hka.oss-cn-hangzhou.aliyuncs.com/img/image-20220809130940294.png) +![](https://pic-hdu-cs-wiki-1307923872.cos.ap-shanghai.myqcloud.com/image-20220809130940294.png) 按**F5**进行反编译跳转至`Pseudocode`(伪代码)界面 -![](https://blog-t0hka.oss-cn-hangzhou.aliyuncs.com/img/image-20220809131038284.png) +![](https://pic-hdu-cs-wiki-1307923872.cos.ap-shanghai.myqcloud.com/image-20220809131038284.png) 然后就可以分析代码逻辑了 @@ -71,19 +71,19 @@ Previous,或者下面的列表项:快速打开之前的的文件 十六进制窗口(不太常用) -![](https://blog-t0hka.oss-cn-hangzhou.aliyuncs.com/img/image-20220809132027773.png) +![](https://pic-hdu-cs-wiki-1307923872.cos.ap-shanghai.myqcloud.com/image-20220809132027773.png) ## 0x05 主界面-Structures 结构体窗口 -![](https://blog-t0hka.oss-cn-hangzhou.aliyuncs.com/img/image-20220809132130778.png) +![](https://pic-hdu-cs-wiki-1307923872.cos.ap-shanghai.myqcloud.com/image-20220809132130778.png) ## 0x06 主界面-Enums 枚举类型界面 -![](https://blog-t0hka.oss-cn-hangzhou.aliyuncs.com/img/image-20220809132242739.png) +![](https://pic-hdu-cs-wiki-1307923872.cos.ap-shanghai.myqcloud.com/image-20220809132242739.png) ## 0x07 主界面-Imports @@ -91,23 +91,23 @@ Previous,或者下面的列表项:快速打开之前的的文件 可以查看当前模块用了哪些模块的哪些函数 -![](https://blog-t0hka.oss-cn-hangzhou.aliyuncs.com/img/image-20220809132327043.png) +![](https://pic-hdu-cs-wiki-1307923872.cos.ap-shanghai.myqcloud.com/image-20220809132327043.png) ## 0x08 主界面-Exports 导出表 -![](https://blog-t0hka.oss-cn-hangzhou.aliyuncs.com/img/image-20220809151050575.png) +![](https://pic-hdu-cs-wiki-1307923872.cos.ap-shanghai.myqcloud.com/image-20220809151050575.png) ## 0x09 主界面-Strings 按`Shift+F12`转到`String`界面,该操作会搜索程序中的字符串数据并展示 -![](https://blog-t0hka.oss-cn-hangzhou.aliyuncs.com/img/image-20220809153126737.png) +![](https://pic-hdu-cs-wiki-1307923872.cos.ap-shanghai.myqcloud.com/image-20220809153126737.png) 按`Ctrl+F`后输入想要检索的字符可以快速搜索字符串 -![](https://blog-t0hka.oss-cn-hangzhou.aliyuncs.com/img/image-20220809153408536.png) +![](https://pic-hdu-cs-wiki-1307923872.cos.ap-shanghai.myqcloud.com/image-20220809153408536.png) ## 0x0a 其他界面-Functions @@ -115,7 +115,7 @@ Previous,或者下面的列表项:快速打开之前的的文件 其中一般来说`main`是程序的主要函数 -![](https://blog-t0hka.oss-cn-hangzhou.aliyuncs.com/img/image-20220809151328885.png) +![](https://pic-hdu-cs-wiki-1307923872.cos.ap-shanghai.myqcloud.com/image-20220809151328885.png) ## 0x0b 其他界面-Output @@ -125,13 +125,13 @@ Previous,或者下面的列表项:快速打开之前的的文件 另外还可以直接在下面输入python语句,方便在ida使用过程中简单的数据处理 -![](https://blog-t0hka.oss-cn-hangzhou.aliyuncs.com/img/image-20220809151536894.png) +![](https://pic-hdu-cs-wiki-1307923872.cos.ap-shanghai.myqcloud.com/image-20220809151536894.png) ## 0x0c 其他界面-导航栏 一个二进制文件包括不同的区块,这里显示程序的不同类型数据,不同的颜色代表二进制文件中不同的块 -![](https://blog-t0hka.oss-cn-hangzhou.aliyuncs.com/img/image-20220809151815243.png) +![](https://pic-hdu-cs-wiki-1307923872.cos.ap-shanghai.myqcloud.com/image-20220809151815243.png) @@ -170,7 +170,7 @@ Previous,或者下面的列表项:快速打开之前的的文件 IDA 提供可与其交互的IDA Python接口,可以使用Python做很多的辅助操作 -![](https://blog-t0hka.oss-cn-hangzhou.aliyuncs.com/img/image-20220809154742462.png) +![](https://pic-hdu-cs-wiki-1307923872.cos.ap-shanghai.myqcloud.com/image-20220809154742462.png) 可以参考这篇文章了解常用的接口 @@ -184,17 +184,17 @@ IDA 提供可与其交互的IDA Python接口,可以使用Python做很多的辅 可以先在汇编代码或伪代码界面下断点,然后`F9`选择调试器,这里直接选`Local Windows Debugger` -![](https://blog-t0hka.oss-cn-hangzhou.aliyuncs.com/img/image-20220809160044665.png) +![](https://pic-hdu-cs-wiki-1307923872.cos.ap-shanghai.myqcloud.com/image-20220809160044665.png) 之后就可以用F7(单步不跳过执行)/F8(单步跳过执行)/F9(继续执行,遇到断点停止)进行调试 -![](https://blog-t0hka.oss-cn-hangzhou.aliyuncs.com/img/image-20220809163138453.png) +![](https://pic-hdu-cs-wiki-1307923872.cos.ap-shanghai.myqcloud.com/image-20220809163138453.png) ### 调试Linux下的文件 可以先在汇编代码或伪代码界面下断点 -![](https://blog-t0hka.oss-cn-hangzhou.aliyuncs.com/img/image-20220809155352920.png) +![](https://pic-hdu-cs-wiki-1307923872.cos.ap-shanghai.myqcloud.com/image-20220809155352920.png) 由于Linux下文件调试比较特殊,需要远程起一个服务器运行服务端,这里可以使用**Vmware**或者**WSL2(Windows subsystem Linux)**进行调试 @@ -240,21 +240,21 @@ int main() { ##### 将程序拖入IDA -![](https://blog-t0hka.oss-cn-hangzhou.aliyuncs.com/img/image-20220809173439491.png) +![](https://pic-hdu-cs-wiki-1307923872.cos.ap-shanghai.myqcloud.com/image-20220809173439491.png) -![](https://blog-t0hka.oss-cn-hangzhou.aliyuncs.com/img/image-20220809173548998.png) +![](https://pic-hdu-cs-wiki-1307923872.cos.ap-shanghai.myqcloud.com/image-20220809173548998.png) ##### F5分析查看伪代码 -![](https://blog-t0hka.oss-cn-hangzhou.aliyuncs.com/img/image-20220809173627488.png) +![](https://pic-hdu-cs-wiki-1307923872.cos.ap-shanghai.myqcloud.com/image-20220809173627488.png) 发现有`change`和`check`的自定义函数 按`n`修改一下变量名 -![](https://blog-t0hka.oss-cn-hangzhou.aliyuncs.com/img/image-20220809174001600.png) +![](https://pic-hdu-cs-wiki-1307923872.cos.ap-shanghai.myqcloud.com/image-20220809174001600.png) -![](https://blog-t0hka.oss-cn-hangzhou.aliyuncs.com/img/image-20220809174015603.png) +![](https://pic-hdu-cs-wiki-1307923872.cos.ap-shanghai.myqcloud.com/image-20220809174015603.png) 分别进入里面查看函数逻辑 @@ -262,11 +262,11 @@ int main() { change函数 -![](https://blog-t0hka.oss-cn-hangzhou.aliyuncs.com/img/image-20220809174035800.png) +![](https://pic-hdu-cs-wiki-1307923872.cos.ap-shanghai.myqcloud.com/image-20220809174035800.png) check函数 -![](https://blog-t0hka.oss-cn-hangzhou.aliyuncs.com/img/image-20220809174058831.png) +![](https://pic-hdu-cs-wiki-1307923872.cos.ap-shanghai.myqcloud.com/image-20220809174058831.png) ###### 静态分析逻辑 @@ -280,19 +280,19 @@ change函数是对输入字符串的每一个字节进行修改 随意的进行一些输入 -![](https://blog-t0hka.oss-cn-hangzhou.aliyuncs.com/img/image-20220809174913326.png) +![](https://pic-hdu-cs-wiki-1307923872.cos.ap-shanghai.myqcloud.com/image-20220809174913326.png) 然后断下来 -![](https://blog-t0hka.oss-cn-hangzhou.aliyuncs.com/img/image-20220809174957987.png) +![](https://pic-hdu-cs-wiki-1307923872.cos.ap-shanghai.myqcloud.com/image-20220809174957987.png) F7进入函数进行单步不跳过调试 -![](https://blog-t0hka.oss-cn-hangzhou.aliyuncs.com/img/image-20220809175413448.png) +![](https://pic-hdu-cs-wiki-1307923872.cos.ap-shanghai.myqcloud.com/image-20220809175413448.png) 遇到类似`strlen`等库函数可以F8单步调试跳过 -![](https://blog-t0hka.oss-cn-hangzhou.aliyuncs.com/img/image-20220809175459668.png) +![](https://pic-hdu-cs-wiki-1307923872.cos.ap-shanghai.myqcloud.com/image-20220809175459668.png) 可以发现输入字符串的每一个字节的Ascii值都减小了1