逆向时如何找到main,如下:
1.readelf -h pstree
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: AArch64
Version: 0x1
Entry point address: 0x402ec0
Start of program headers: 64 (bytes into file)
Start of section headers: 182632 (bytes into file)
Flags: 0x0
Size of this header: 64 (bytes)
Size of program headers: 56 (bytes)
Number of program headers: 9
Size of section headers: 64 (bytes)
Number of section headers: 28
Section header string table index: 27
2.0x402ec0 代码
402ec0: d503201f nop
402ec4: d280001d mov x29, #0x0 // #0
402ec8: d280001e mov x30, #0x0 // #0
402ecc: aa0003e5 mov x5, x0
402ed0: f94003e1 ldr x1, [sp]
402ed4: 910023e2 add x2, sp, #0x8
402ed8: 910003e6 mov x6, sp
402edc: 90000000 adrp x0, 402000 <ferror@plt+0x120>
402ee0: 913bd000 add x0, x0, #0xef4
402ee4: d2800003 mov x3, #0x0 // #0
402ee8: d2800004 mov x4, #0x0 // #0
402eec: 97fffad5 bl 401a40 <__libc_start_main@plt>
402ef0: 97fffb78 bl 401cd0 <abort@plt>
402ef4: d503201f nop
402ef8: 17fffc02 b 401f00 <ferror@plt+0x20>
402efc: d503201f nop
402f00: d65f03c0 ret
3.main 地址
402ef8: 17fffc02 b 401f00 <ferror@plt+0x20>
4.401f00 代码
0000000000401f00 <.text>:
401f00: a9b97bfd stp x29, x30, [sp, #-112]!
401f04: d288fe0d mov x13, #0x47f0 // #18416
401f08: 900000c2 adrp x2, 419000 <ferror@plt+0x17120>
401f0c: 910003fd mov x29, sp
401f10: a90153f3 stp x19, x20, [sp, #16]
401f14: 912a0042 add x2, x2, #0xa80
401f18: d00001c3 adrp x3, 43b000 <ferror@plt+0x39120>
401f1c: a9025bf5 stp x21, x22, [sp, #32]
401f20: 91378063 add x3, x3, #0xde0
401f24: aa0103f4 mov x20, x1
401f28: a90363f7 stp x23, x24, [sp, #48]
401f2c: 91014041 add x1, x2, #0x50
5.动态调试确认
