I have a C file (no source code) which I've decompiled, it reads two files and compares if it has the same content. I want to read the values for data2, in gdb, I've tried
(gdb)x/s 0x08048591
0x8048591 <main+52>: "\215E\327\211\004$\350t\376\377\377\211E\370\203", <incomplete sequence \370>
For context:
int main(int argc, char ** argv) {
struct _IO_FILE * stream = popen("/bin/cat ~/.flag", "r"); // 0x8048572
int32_t data;
if (fread((char *)&data, 1, 32, stream) == 0) {
// 0x80485a5
perror("fread");
// branch -> 0x8048682
// 0x8048682
return 1;
}
struct _IO_FILE * file = fopen("/var/level01/.flag", "r"); // 0x80485d5
int32_t result; // 0x8048591_06
int32_t data2;
if (fread((char *)&data2, 1, 32, file) == 0) {
// 0x8048608
perror("fread");
result = 1;
// branch -> 0x8048682
} else {
// 0x804861b
if (strcmp((char *)&data, (char *)&data2) == 0) {
// 0x804863c
execl("/bin/sh", "/bin/sh");
// branch -> 0x8048658
}
// 0x8048658
fwrite("Wrong password!\n", 1, 16, g1);
result = 0;
// branch -> 0x8048682
}
// 0x8048682
return result;
}
I'm not entirely sure where to read and how to output this in gdb, any insight is appreciated.
Edit:
0x0804855d <+0>: push %ebp
0x0804855e <+1>: mov %esp,%ebp
0x08048560 <+3>: sub $0x5c,%esp
0x08048563 <+6>: movl $0x8048720,0x4(%esp)
0x0804856b <+14>: movl $0x8048722,(%esp)
0x08048572 <+21>: call 0x80483e0 <popen@plt>
0x08048577 <+26>: mov %eax,-0x4(%ebp)
0x0804857a <+29>: mov -0x4(%ebp),%eax
0x0804857d <+32>: mov %eax,0xc(%esp)
0x08048581 <+36>: movl $0x20,0x8(%esp)
0x08048589 <+44>: movl $0x1,0x4(%esp)
0x08048591 <+52>: lea -0x29(%ebp),%eax
0x08048594 <+55>: mov %eax,(%esp)
0x08048597 <+58>: call 0x8048410 <fread@plt>
0x0804859c <+63>: mov %eax,-0x8(%ebp)
0x0804859f <+66>: cmpl $0x0,-0x8(%ebp)
0x080485a3 <+70>: jne 0x80485bb <main+94>
0x080485a5 <+72>: movl $0x8048735,(%esp)
0x080485ac <+79>: call 0x80483f0 <perror@plt>
0x080485b1 <+84>: mov $0x1,%eax
0x080485b6 <+89>: jmp 0x8048682 <main+293>
0x080485bb <+94>: lea -0x29(%ebp),%edx
0x080485be <+97>: mov -0x8(%ebp),%eax
0x080485c1 <+100>: add %edx,%eax
0x080485c3 <+102>: movb $0x0,(%eax)
0x080485c6 <+105>: movl $0x8048720,0x4(%esp)
0x080485ce <+113>: movl $0x804873b,(%esp)
0x080485d5 <+120>: call 0x8048440 <fopen@plt>
0x080485da <+125>: mov %eax,-0x4(%ebp)
0x080485dd <+128>: mov -0x4(%ebp),%eax
0x080485e0 <+131>: mov %eax,0xc(%esp)
0x080485e4 <+135>: movl $0x20,0x8(%esp)
0x080485ec <+143>: movl $0x1,0x4(%esp)
0x080485f4 <+151>: lea -0x4a(%ebp),%eax
0x080485f7 <+154>: mov %eax,(%esp)
0x080485fa <+157>: call 0x8048410 <fread@plt>
0x080485ff <+162>: mov %eax,-0x8(%ebp)
0x08048602 <+165>: cmpl $0x0,-0x8(%ebp)
0x08048606 <+169>: jne 0x804861b <main+190>
0x08048608 <+171>: movl $0x8048735,(%esp)
---Type <return> to continue, or q <return> to quit---
0x0804860f <+178>: call 0x80483f0 <perror@plt>
0x08048614 <+183>: mov $0x1,%eax
0x08048619 <+188>: jmp 0x8048682 <main+293>
0x0804861b <+190>: lea -0x4a(%ebp),%edx
0x0804861e <+193>: mov -0x8(%ebp),%eax
0x08048621 <+196>: add %edx,%eax
0x08048623 <+198>: movb $0x0,(%eax)
0x08048626 <+201>: lea -0x4a(%ebp),%eax
0x08048629 <+204>: mov %eax,0x4(%esp)
0x0804862d <+208>: lea -0x29(%ebp),%eax
0x08048630 <+211>: mov %eax,(%esp)
0x08048633 <+214>: call 0x80483d0 <strcmp@plt>
0x08048638 <+219>: test %eax,%eax
0x0804863a <+221>: jne 0x8048658 <main+251>
0x0804863c <+223>: movl $0x0,0x8(%esp)
0x08048644 <+231>: movl $0x8048759,0x4(%esp)
0x0804864c <+239>: movl $0x8048759,(%esp)
0x08048653 <+246>: call 0x8048450 <execl@plt>
0x08048658 <+251>: mov 0x8049980,%eax
0x0804865d <+256>: mov %eax,0xc(%esp)
0x08048661 <+260>: movl $0x10,0x8(%esp)
0x08048669 <+268>: movl $0x1,0x4(%esp)
0x08048671 <+276>: movl $0x8048761,(%esp)
0x08048678 <+283>: call 0x8048400 <fwrite@plt>
0x0804867d <+288>: mov $0x0,%eax
0x08048682 <+293>: leave
0x08048683 <+294>: ret
End of assembler dump.
I've decompiled,
It is very likely that you made a mistake. If this was correct decompilation:
int32_t data;
if (fread((char *)&data, 1, 32, stream) == 0) {
then the program would be "guilty" of stack overflow (fread tries to read 32 bytes, but you've only provided space for 32 bits (i.e. only 4 bytes)).
More likely the correct decompilation is something like:
char data[32];
if (fread(data, 1, 32, stream) == 0) {
I want to read the values for data2, in gdb, I've tried
(gdb)x/s 0x08048591
As GDB shows you, the address 0x08048591 is inside main and is part of program code.
You want to examine data (or stack) of the program, and for that you need to use x/s on the correct address.
Unfortunately you didn't provide the actual assembly of the program, so we can't tell you what that correct address should be.
Update:
The disassembly for second fread is:
0x080485f4 <+151>: lea -0x4a(%ebp),%eax
0x080485f7 <+154>: mov %eax,(%esp)
0x080485fa <+157>: call 0x8048410 <fread@plt>
This tells us that the data is in fact on stack, and to look at the data one would use:
x/s $ebp-0x4a
while stopped at instruction at 0x08048602 (i.e. after fread has returned).