修改可执行文件，改变程序走向，把jne 改成je

1. 准备样本程序源代码

#include <stdio.h>#include <unistd.h>void main(){        char buf[1]={0};        while(1){                if(buf[0]==0){                        printf("11111\n");                }                else{                        printf("22222\n");                }                sleep(1);        };}

2. 编译生成a.out

$ gcc a.c

3.  运行输出：

$ ./a.out 111111111111111

4. 反汇编

$objdump -d a.out >a.S

5. 查看法反汇编出来的代码，main函数部分

0000000000400586 <main>:  400586:       55                      push   %rbp  400587:       48 89 e5                mov    %rsp,%rbp  40058a:       48 83 ec 10             sub    $0x10,%rsp  40058e:       c6 45 ff 00             movb   $0x0,-0x1(%rbp)  400592:       0f b6 45 ff             movzbl -0x1(%rbp),%eax  400596:       84 c0                   test   %al,%al  400598:       75 0c                   jne    4005a6 <main+0x20>  40059a:       bf 50 06 40 00          mov    $0x400650,%edi  40059f:       e8 ac fe ff ff          callq  400450 <puts@plt>  4005a4:       eb 0a                   jmp    4005b0 <main+0x2a>  4005a6:       bf 56 06 40 00          mov    $0x400656,%edi  4005ab:       e8 a0 fe ff ff          callq  400450 <puts@plt>  4005b0:       bf 01 00 00 00          mov    $0x1,%edi  4005b5:       e8 c6 fe ff ff          callq  400480 <sleep@plt>  4005ba:       eb d6                   jmp    400592 <main+0xc>  4005bc:       0f 1f 40 00             nopl   0x0(%rax)

6. 注意

 if(buf[0]==0){

对应

  400598:       75 0c                   jne    4005a6 <main+0x20>

7. bvi打开文件，定位到 0x598周围数据如下

$ bvi a.out

0000058C  EC 10 C6 45 FF 00 0F B6 45 FF 84 C0 75 0C BF 50 06 40 00 E8 ...E....E...u..P.@..000005A0  AC FE FF FF EB 0A BF 56 06 40 00 E8 A0 FE FF FF BF 01 00 00 .......V.@..........

8. 把0x598处 0x75改成 0x74

0000058C  EC 10 C6 45 FF 00 0F B6 45 FF 84 C0 74 0C BF 50 06 40 00 E8 ...E....E...u..P.@..000005A0  AC FE FF FF EB 0A BF 56 06 40 00 E8 A0 FE FF FF BF 01 00 00 .......V.@..........

9. 保存，并执行，查看输出

$ ./a.out 2222222222

成功改变if判断走向。

说明：0x75 对应 汇编指令jne, 0x74 对应汇编指令 je

修改后的文件反汇编出来的代码main 部分如下

0000000000400586 <main>:  400586:       55                      push   %rbp  400587:       48 89 e5                mov    %rsp,%rbp  40058a:       48 83 ec 10             sub    $0x10,%rsp  40058e:       c6 45 ff 00             movb   $0x0,-0x1(%rbp)  400592:       0f b6 45 ff             movzbl -0x1(%rbp),%eax  400596:       84 c0                   test   %al,%al  400598:       74 0c                   je     4005a6 <main+0x20>  40059a:       bf 50 06 40 00          mov    $0x400650,%edi  40059f:       e8 ac fe ff ff          callq  400450 <puts@plt>  4005a4:       eb 0a                   jmp    4005b0 <main+0x2a>  4005a6:       bf 56 06 40 00          mov    $0x400656,%edi  4005ab:       e8 a0 fe ff ff          callq  400450 <puts@plt>  4005b0:       bf 01 00 00 00          mov    $0x1,%edi  4005b5:       e8 c6 fe ff ff          callq  400480 <sleep@plt>  4005ba:       eb d6                   jmp    400592 <main+0xc>  4005bc:       0f 1f 40 00             nopl   0x0(%rax)