惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

N
Netflix TechBlog - Medium
V
Vulnerabilities – Threatpost
Google Online Security Blog
Google Online Security Blog
Hugging Face - Blog
Hugging Face - Blog
L
LINUX DO - 热门话题
云风的 BLOG
云风的 BLOG
P
Proofpoint News Feed
D
Docker
C
Cyber Attacks, Cyber Crime and Cyber Security
MyScale Blog
MyScale Blog
P
Palo Alto Networks Blog
T
Tenable Blog
P
Privacy International News Feed
Google DeepMind News
Google DeepMind News
小众软件
小众软件
Cisco Talos Blog
Cisco Talos Blog
aimingoo的专栏
aimingoo的专栏
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
A
Arctic Wolf
C
Cybersecurity and Infrastructure Security Agency CISA
C
Cisco Blogs
T
Threat Research - Cisco Blogs
NISL@THU
NISL@THU
The Hacker News
The Hacker News
Project Zero
Project Zero
AWS News Blog
AWS News Blog
Simon Willison's Weblog
Simon Willison's Weblog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
T
Threatpost
V
Visual Studio Blog
The GitHub Blog
The GitHub Blog
The Cloudflare Blog
Last Week in AI
Last Week in AI
Jina AI
Jina AI
Cyberwarzone
Cyberwarzone
The Register - Security
The Register - Security
C
CXSECURITY Database RSS Feed - CXSecurity.com
Vercel News
Vercel News
D
Darknet – Hacking Tools, Hacker News & Cyber Security
MongoDB | Blog
MongoDB | Blog
U
Unit 42
Scott Helme
Scott Helme
A
About on SuperTechFans
WordPress大学
WordPress大学
F
Fortinet All Blogs
大猫的无限游戏
大猫的无限游戏
G
GRAHAM CLULEY
Latest news
Latest news
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
S
Schneier on Security

汇编

在浏览器使用 wasm 如何解决兼容性问题 C++中 i=i; 与 *p=i; 对应的汇编代码为什么不一样? - V2EX 汇编问题求解,这个问题我自己确实做不来 - V2EX 有谁能来教我一下汇编的问题吗?我真的因为这个卡了好久了 - V2EX 如何学习汇编语言? - V2EX Linux 下, global variable 在汇编里是什么时候被初始化的呢? Lock 指令到底有什么用? 求大神帮忙解答两个题,关于编程的,应付微机原理与应用过关考试的,不胜感激 如何解决 ShellCode 中 call 所产生的 \x00 - V2EX 用 AMD64 汇编写的 web server - V2EX 来做个调查,各位V2exer 有多少学过汇编?有用过否? - V2EX Introduction to UNIX Assembly Programming - V2EX
6.828 lab1 Exercise 2 死循环问题 - V2EX
dogedoge · 2020-04-21 · via 汇编

https://pdos.csail.mit.edu/6.828/2018/labs/lab1/

版本:

  • qemu:QEMU emulator version 1.5.3 (qemu-kvm-1.5.3-167.el7_7.4), Copyright (c) 2003-2008 Fabrice Bellard
  • centos:CentOS-7-x86_64-Minimal-1908
  • gdb:GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-115.el7

The ROM BIOS 这个章节,A 窗口 make qemu-gdb,B 窗口 make gdb

A:

/usr/libexec/qemu-kvm -drive file=obj/kern/kernel.img,index=0,media=disk,format=raw -serial mon:stdio -gdb tcp::25000 -D qemu.log  -S
VNC server running on `::1:5900'

B si 单步调试:

[f000:fff0]    0xffff0: ljmp   $0xf000,$0xe05b
[f000:e05b]    0xfe05b: cmpl   $0x0,%cs:0x69c8
[f000:e062]    0xfe062: jne    0xfd0f7
[f000:e066]    0xfe066: xor    %dx,%dx
[f000:e068]    0xfe068: mov    %dx,%ss
[f000:e070]    0xfe070: mov    $0xf1399,%edx
[f000:e076]    0xfe076: jmp    0xfcf8c
[f000:cf8c]    0xfcf8c: cli
[f000:cf8d]    0xfcf8d: cld
[f000:cf8e]    0xfcf8e: mov    %eax,%ecx
[f000:cf91]    0xfcf91: mov    $0x8f,%eax
[f000:cf97]    0xfcf97: out    %al,$0x70
[f000:cf9b]    0xfcf9b: in     $0x92,%al
[f000:cf9d]    0xfcf9d: or     $0x2,%al
[f000:cf9f]    0xfcf9f: out    %al,$0x92
[f000:cfa4]    0xfcfa4: lidtw  %cs:0x69b8
[f000:cfaa]    0xfcfaa: lgdtw  %cs:0x6974
[f000:cfb0]    0xfcfb0: mov    %cr0,%ecx
[f000:cfb3]    0xfcfb3: and    $0x1fffffff,%ecx
[f000:cfba]    0xfcfba: or     $0x1,%ecx
[f000:cfbe]    0xfcfbe: mov    %ecx,%cr0

切入 PE 之后:

The target architecture is assumed to be i386
=> 0xfcfc9:     mov    $0x10,%ecx
=> 0xfcfce:     mov    %ecx,%ds
=> 0xfcfd0:     mov    %ecx,%es
=> 0xfcfd2:     mov    %ecx,%ss
=> 0xfcfd6:     mov    %ecx,%gs
=> 0xfcfd8:     jmp    *%edx
=> 0xf1399:     sub    $0x8,%esp
=> 0xf139c:     movl   $0xf4254,0x4(%esp)
=> 0xf13a4:     movl   $0xf390a,(%esp)
=> 0xf13ab:     call   0xee4dd
=> 0xee4dd:     lea    0x8(%esp),%ecx
=> 0xee4e1:     mov    0x4(%esp),%edx
=> 0xee4e5:     mov    $0xf4200,%eax
=> 0xee4ea:     call   0xedd5a
=> 0xedd5a:     push   %ebp
=> 0xedd5b:     push   %edi
=> 0xedd5c:     push   %esi
=> 0xedd5d:     push   %ebx
=> 0xedd5e:     sub    $0xc,%esp
=> 0xedd61:     mov    %eax,%ebx
=> 0xedd63:     mov    %edx,0x4(%esp)
=> 0xedd67:     mov    %ecx,%ebp
=> 0xedd69:     mov    0x4(%esp),%esi
=> 0xedd6d:     movsbl (%esi),%edx
=> 0xedd70:     test   %dl,%dl
=> 0xedd72:     je     0xedfb6
=> 0xedd78:     cmp    $0x25,%dl
=> 0xedd7b:     jne    0xede1b
=> 0xede1b:     mov    %ebx,%eax
=> 0xede1d:     call   0xec570
=> 0xec570:     mov    %eax,%ecx
=> 0xec572:     movsbl %dl,%edx
=> 0xec575:     call   *(%ecx)
=> 0xec565:     mov    %edx,%eax
=> 0xec567:     mov    0xf683c,%dx
=> 0xec56e:     out    %al,(%dx)
=> 0xec577:     ret

=> 0xede22:     jmp    0xedfaa
=> 0xedfaa:     lea    0x1(%esi),%eax
=> 0xedfad:     mov    %eax,0x4(%esp)
=> 0xedfb1:     jmp    0xedd69
=> 0xedd69:     mov    0x4(%esp),%esi
=> 0xedd6d:     movsbl (%esi),%edx
=> 0xedd70:     test   %dl,%dl
=> 0xedd72:     je     0xedfb6
=> 0xedd78:     cmp    $0x25,%dl
=> 0xedd7b:     jne    0xede1b
=> 0xede1b:     mov    %ebx,%eax
=> 0xede1d:     call   0xec570
=> 0xec570:     mov    %eax,%ecx
=> 0xec572:     movsbl %dl,%edx
=> 0xec575:     call   *(%ecx)
=> 0xec565:     mov    %edx,%eax
=> 0xec567:     mov    0xf683c,%dx
=> 0xec56e:     out    %al,(%dx)
=> 0xec577:     ret
...

中间隔开的那一段一直到 ... 就是死循环,但是如果这个时候 c continue 的话 A 又可以进 kernel,而且试了断点,并没有进 0x7c00

找到一篇:https://stackoverflow.com/questions/11408041/how-to-debug-the-linux-kernel-with-gdb-and-qemu/33203642#33203642,把 A 窗口换成直接执行:

/usr/libexec/qemu-kvm -drive file=obj/kern/kernel.img,index=0,media=disk,format=raw -serial mon:stdio -D qemu.log -S -s

其实就是换了 gdb TCP 1234 端口,然后按照 stackoverflow 上在 B 连 1234:

target remote localhost:1234

最终 si 还是进了死循环... 另外试了 -bios 参数,也确实是使用的 seabios.bin

已经查不动了,求大佬解答~