栈粉碎原理分析
源代码如下
#include <stdio.h>void function(int a, int b) {char buffer[12];gets(buffer);//long* ret = (long *) ((long)buffer+28);//*ret = *ret + 7;return;
}void main() {int x;x = 0;function(1,2);x = 1;printf("%d\n",x);
}
- 由解注释前的源代码生成二进制,分析其汇编程序,画出栈操作过程。
Makefile
cc=gccall: stack_smashing stack_smashing.asm.PHONY : cleanstack_smashing: stack_smashing.occ -o stack_smashing stack_smashing.ostack_smashing.o: stack_smashing.scc -c -o stack_smashing.o stack_smashing.sstack_smashing.s: stack_smashing.ccc -S -O0 -fno-stack-protector -o stack_smashing.s stack_smashing.cstack_smashing.asm: stack_smashingobjdump -d stack_smashing > stack_smashing.asmclean:rm *.srm *.o
由于存在Makefile是来编译stack_smashing.c,因此直接输入命令进行编译
make
stack_smashing: 文件格式 elf64-x86-64Disassembly of section .init:0000000000001000 <_init>:1000: f3 0f 1e fa endbr64 1004: 48 83 ec 08 sub $0x8,%rsp1008: 48 8b 05 d9 2f 00 00 mov 0x2fd9(%rip),%rax # 3fe8 <__gmon_start__@Base>100f: 48 85 c0 test %rax,%rax1012: 74 02 je 1016 <_init+0x16>1014: ff d0 call *%rax1016: 48 83 c4 08 add $0x8,%rsp101a: c3 ret Disassembly of section .plt:0000000000001020 <.plt>:1020: ff 35 92 2f 00 00 push 0x2f92(%rip) # 3fb8 <_GLOBAL_OFFSET_TABLE_+0x8>1026: f2 ff 25 93 2f 00 00 bnd jmp *0x2f93(%rip) # 3fc0 <_GLOBAL_OFFSET_TABLE_+0x10>102d: 0f 1f 00 nopl (%rax)1030: f3 0f 1e fa endbr64 1034: 68 00 00 00 00 push $0x01039: f2 e9 e1 ff ff ff bnd jmp 1020 <_init+0x20>103f: 90 nop1040: f3 0f 1e fa endbr64 1044: 68 01 00 00 00 push $0x11049: f2 e9 d1 ff ff ff bnd jmp 1020 <_init+0x20>104f: 90 nopDisassembly of section .plt.got:0000000000001050 <__cxa_finalize@plt>:1050: f3 0f 1e fa endbr64 1054: f2 ff 25 9d 2f 00 00 bnd jmp *0x2f9d(%rip) # 3ff8 <__cxa_finalize@GLIBC_2.2.5>105b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)Disassembly of section .plt.sec:0000000000001060 <printf@plt>:1060: f3 0f 1e fa endbr64 1064: f2 ff 25 5d 2f 00 00 bnd jmp *0x2f5d(%rip) # 3fc8 <printf@GLIBC_2.2.5>106b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)0000000000001070 <gets@plt>:1070: f3 0f 1e fa endbr64 1074: f2 ff 25 55 2f 00 00 bnd jmp *0x2f55(%rip) # 3fd0 <gets@GLIBC_2.2.5>107b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)Disassembly of section .text:0000000000001080 <_start>:1080: f3 0f 1e fa endbr64 1084: 31 ed xor %ebp,%ebp1086: 49 89 d1 mov %rdx,%r91089: 5e pop %rsi108a: 48 89 e2 mov %rsp,%rdx108d: 48 83 e4 f0 and $0xfffffffffffffff0,%rsp1091: 50 push %rax1092: 54 push %rsp1093: 45 31 c0 xor %r8d,%r8d1096: 31 c9 xor %ecx,%ecx1098: 48 8d 3d f0 00 00 00 lea 0xf0(%rip),%rdi # 118f <main>109f: ff 15 33 2f 00 00 call *0x2f33(%rip) # 3fd8 <__libc_start_main@GLIBC_2.34>10a5: f4 hlt 10a6: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)10ad: 00 00 00 00000000000010b0 <deregister_tm_clones>:10b0: 48 8d 3d 59 2f 00 00 lea 0x2f59(%rip),%rdi # 4010 <__TMC_END__>10b7: 48 8d 05 52 2f 00 00 lea 0x2f52(%rip),%rax # 4010 <__TMC_END__>10be: 48 39 f8 cmp %rdi,%rax10c1: 74 15 je 10d8 <deregister_tm_clones+0x28>10c3: 48 8b 05 16 2f 00 00 mov 0x2f16(%rip),%rax # 3fe0 <_ITM_deregisterTMCloneTable@Base>10ca: 48 85 c0 test %rax,%rax10cd: 74 09 je 10d8 <deregister_tm_clones+0x28>10cf: ff e0 jmp *%rax10d1: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)10d8: c3 ret 10d9: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)00000000000010e0 <register_tm_clones>:10e0: 48 8d 3d 29 2f 00 00 lea 0x2f29(%rip),%rdi # 4010 <__TMC_END__>10e7: 48 8d 35 22 2f 00 00 lea 0x2f22(%rip),%rsi # 4010 <__TMC_END__>10ee: 48 29 fe sub %rdi,%rsi10f1: 48 89 f0 mov %rsi,%rax10f4: 48 c1 ee 3f shr $0x3f,%rsi10f8: 48 c1 f8 03 sar $0x3,%rax10fc: 48 01 c6 add %rax,%rsi10ff: 48 d1 fe sar %rsi1102: 74 14 je 1118 <register_tm_clones+0x38>1104: 48 8b 05 e5 2e 00 00 mov 0x2ee5(%rip),%rax # 3ff0 <_ITM_registerTMCloneTable@Base>110b: 48 85 c0 test %rax,%rax110e: 74 08 je 1118 <register_tm_clones+0x38>1110: ff e0 jmp *%rax1112: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)1118: c3 ret 1119: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)0000000000001120 <__do_global_dtors_aux>:1120: f3 0f 1e fa endbr64 1124: 80 3d e5 2e 00 00 00 cmpb $0x0,0x2ee5(%rip) # 4010 <__TMC_END__>112b: 75 2b jne 1158 <__do_global_dtors_aux+0x38>112d: 55 push %rbp112e: 48 83 3d c2 2e 00 00 cmpq $0x0,0x2ec2(%rip) # 3ff8 <__cxa_finalize@GLIBC_2.2.5>1135: 00 1136: 48 89 e5 mov %rsp,%rbp1139: 74 0c je 1147 <__do_global_dtors_aux+0x27>113b: 48 8b 3d c6 2e 00 00 mov 0x2ec6(%rip),%rdi # 4008 <__dso_handle>1142: e8 09 ff ff ff call 1050 <__cxa_finalize@plt>1147: e8 64 ff ff ff call 10b0 <deregister_tm_clones>114c: c6 05 bd 2e 00 00 01 movb $0x1,0x2ebd(%rip) # 4010 <__TMC_END__>1153: 5d pop %rbp1154: c3 ret 1155: 0f 1f 00 nopl (%rax)1158: c3 ret 1159: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)0000000000001160 <frame_dummy>:1160: f3 0f 1e fa endbr64 1164: e9 77 ff ff ff jmp 10e0 <register_tm_clones>0000000000001169 <function>:1169: f3 0f 1e fa endbr64 116d: 55 push %rbp116e: 48 89 e5 mov %rsp,%rbp1171: 48 83 ec 20 sub $0x20,%rsp1175: 89 7d ec mov %edi,-0x14(%rbp)1178: 89 75 e8 mov %esi,-0x18(%rbp)117b: 48 8d 45 f4 lea -0xc(%rbp),%rax117f: 48 89 c7 mov %rax,%rdi1182: b8 00 00 00 00 mov $0x0,%eax1187: e8 e4 fe ff ff call 1070 <gets@plt>118c: 90 nop118d: c9 leave 118e: c3 ret 000000000000118f <main>:118f: f3 0f 1e fa endbr64 1193: 55 push %rbp1194: 48 89 e5 mov %rsp,%rbp1197: 48 83 ec 10 sub $0x10,%rsp119b: c7 45 fc 00 00 00 00 movl $0x0,-0x4(%rbp)11a2: be 02 00 00 00 mov $0x2,%esi11a7: bf 01 00 00 00 mov $0x1,%edi11ac: e8 b8 ff ff ff call 1169 <function>11b1: c7 45 fc 01 00 00 00 movl $0x1,-0x4(%rbp)11b8: 8b 45 fc mov -0x4(%rbp),%eax11bb: 89 c6 mov %eax,%esi11bd: 48 8d 05 40 0e 00 00 lea 0xe40(%rip),%rax # 2004 <_IO_stdin_used+0x4>11c4: 48 89 c7 mov %rax,%rdi11c7: b8 00 00 00 00 mov $0x0,%eax11cc: e8 8f fe ff ff call 1060 <printf@plt>11d1: 90 nop11d2: c9 leave 11d3: c3 ret Disassembly of section .fini:00000000000011d4 <_fini>:11d4: f3 0f 1e fa endbr64 11d8: 48 83 ec 08 sub $0x8,%rsp11dc: 48 83 c4 08 add $0x8,%rsp11e0: c3 ret
这个asm汇编程序的主要涉及到栈操作的为function和main函数
main函数
0000000000001169 <function>:1169: f3 0f 1e fa endbr64 # 将64位模式下的栈对齐到16字节116d: 55 push %rbp #保存调用该函数前的栈基指针。116e: 48 89 e5 mov %rsp,%rbp # 将rsp寄存器的值赋给rbp寄存器1171: 48 83 ec 20 sub $0x20,%rsp # 在栈中为局部变量分配空间,将rsp寄存器的值减去0x20,即开辟栈空间0x201175: 89 7d ec mov %edi,-0x14(%rbp) # 将edi寄存器的值赋给局部变量-0x14(%rbp)1178: 89 75 e8 mov %esi,-0x18(%rbp) # 将esi寄存器的值赋给局部变量-0x18(%rbp)117b: 48 8d 45 f4 lea -0xc(%rbp),%rax # 将局部变量-0xc(%rbp)的地址赋给rax寄存器117f: 48 89 c7 mov %rax,%rdi # 将rax寄存器的值赋给rdi寄存器1182: b8 00 00 00 00 mov $0x0,%eax # 将0x0赋给eax寄存器目的是为了调用printf函数1187: e8 e4 fe ff ff call 1070 <gets@plt> # 调用gets函数118c: 90 nop # 无操作,目的是为了填充字节,使得函数的长度为16的倍数118d: c9 leave # 恢复rbp寄存器的值118e: c3 ret # 函数返回
000000000000118f <main>:118f: f3 0f 1e fa endbr64 # 将64位模式下的栈对齐到16字节1193: 55 push %rbp # 保存调用该函数前的栈基指针1194: 48 89 e5 mov %rsp,%rbp # 将rsp寄存器的值赋给rbp寄存器1197: 48 83 ec 10 sub $0x10,%rsp # 在栈中为局部变量分配空间,将rsp寄存器的值减去0x10,即开辟栈空间0x10119b: c7 45 fc 00 00 00 00 movl $0x0,-0x4(%rbp) # 将0x0赋给局部变量-0x4(%rbp)11a2: be 02 00 00 00 mov $0x2,%esi # 将0x2赋给esi寄存器11a7: bf 01 00 00 00 mov $0x1,%edi # 将0x1赋给edi寄存器11ac: e8 b8 ff ff ff call 1169 <function> # 调用function函数11b1: c7 45 fc 01 00 00 00 movl $0x1,-0x4(%rbp) # 将0x1赋给局部变量-0x4(%rbp)11b8: 8b 45 fc mov -0x4(%rbp),%eax # 将局部变量-0x4(%rbp)的值赋给eax寄存器11bb: 89 c6 mov %eax,%esi # 将eax寄存器的值赋给esi寄存器11bd: 48 8d 05 40 0e 00 00 lea 0xe40(%rip),%rax # 2004 <_IO_stdin_used+0x4> # 将字符串的地址赋给rax寄存器11c4: 48 89 c7 mov %rax,%rdi # 将rax寄存器的值赋给rdi寄存器11c7: b8 00 00 00 00 mov $0x0,%eax # 将0x0赋给eax寄存器目的是为了调用printf函数11cc: e8 8f fe ff ff call 1060 <printf@plt> # 调用printf函数11d1: 90 nop # 无操作,目的是为了填充字节,使得函数的长度为16的倍数11d2: c9 leave # 恢复rbp寄存器的值11d3: c3 ret # 函数返回
0x1193-0x1194 push %rbp 将栈顶指针向下移动 8 字节,并将rbp中的值压入栈中。mov %rsp,%rbp 将rsp的值复制到rbp中,这样就建立了一个新的基址指针,用于指向当前函数的栈帧。
0x1197 sub $0x10,%rsp 将栈顶指针向下移动了0x10个字节,给当前函数分配了16个字节的栈空间。这些空间用于存储本地变量和函数调用时需要保存的寄存器。
0x119b movl $0x0,-0x4(%rbp) 将变量x初始化为 0
0x11a2-0x11a7 mov $0x2,%esi 和 mov $0x1,%edi 分别将值2和1存储到 %esi 和 %edi 中。
0x11ac call 1169 <function> 调用function(1,2) 在调用函数之前,当前函数的返回地址%rip被压入栈中,同时 %rsp 指针向下移动了8个字节
0x116d-0x116epush %rbp 将栈顶指针向下移动 8 字节,并将 %rbp 中的值压入栈中。 mov %rsp,%rbp 将 %rsp 的值复制到 %rbp 中,建立一个新的基址指针,用于指向当前函数的栈帧。
0x1171 sub $0x20,%rsp 将栈顶指针向下移动了0x20个字节,给当前函数分配了32个字节的栈空间。
0x1175-0x1178mov %edi,-0x14(%rbp) 和 mov %esi,-0x18(%rbp) 分别将 %edi 和 %esi 寄存器中的值存储到当前栈帧中的相对偏移量为 -0x14 和 -0x18 的位置中。这两个值分别是函数 function 的形参a,b
接下来调用 gets(buffer)
lea -0xc(%rbp),%rax
mov %rax,%rdi
mov $0x0,%eax 将 buffer 地址传给寄存器 rdi
call 1070 <gets@plt> 调用 gets(buffer)
nop; leave; ret 返回到 ret_function(0x11b1) 中
movl $0x1,-0x4(%rbp) # 将0x1赋给局部变量-0x4(%rbp) 将 x 设为 1
接下来调用 printf("%d\n", x)
mov -0x4(%rbp),%eax 将局部变量-0x4(%rbp)的值赋给eax寄存
mov %eax,%esi 将eax寄存器的值赋给esi寄存器,将 x 值传给寄存器 esi
lea 0xe40(%rip),%rax 将字符串的地址赋给rax寄存器
mov %rax,%rdi
mov $0x0,%eax 将 “%d\n” 字符串地址传给寄存器 rdi
call 1060 <printf@plt> 调用 printf(“%d\n”, x)
nop; leave; ret
- 将源代码中的语句解注释,再生成二进制,分析其汇编程序,画出栈操作过程。
将源代码解注释的汇编代码
stack_smashing: 文件格式 elf64-x86-64Disassembly of section .init:0000000000001000 <_init>:1000: f3 0f 1e fa endbr64 1004: 48 83 ec 08 sub $0x8,%rsp1008: 48 8b 05 d9 2f 00 00 mov 0x2fd9(%rip),%rax # 3fe8 <__gmon_start__@Base>100f: 48 85 c0 test %rax,%rax1012: 74 02 je 1016 <_init+0x16>1014: ff d0 call *%rax1016: 48 83 c4 08 add $0x8,%rsp101a: c3 ret Disassembly of section .plt:0000000000001020 <.plt>:1020: ff 35 92 2f 00 00 push 0x2f92(%rip) # 3fb8 <_GLOBAL_OFFSET_TABLE_+0x8>1026: f2 ff 25 93 2f 00 00 bnd jmp *0x2f93(%rip) # 3fc0 <_GLOBAL_OFFSET_TABLE_+0x10>102d: 0f 1f 00 nopl (%rax)1030: f3 0f 1e fa endbr64 1034: 68 00 00 00 00 push $0x01039: f2 e9 e1 ff ff ff bnd jmp 1020 <_init+0x20>103f: 90 nop1040: f3 0f 1e fa endbr64 1044: 68 01 00 00 00 push $0x11049: f2 e9 d1 ff ff ff bnd jmp 1020 <_init+0x20>104f: 90 nopDisassembly of section .plt.got:0000000000001050 <__cxa_finalize@plt>:1050: f3 0f 1e fa endbr64 1054: f2 ff 25 9d 2f 00 00 bnd jmp *0x2f9d(%rip) # 3ff8 <__cxa_finalize@GLIBC_2.2.5>105b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)Disassembly of section .plt.sec:0000000000001060 <printf@plt>:1060: f3 0f 1e fa endbr64 1064: f2 ff 25 5d 2f 00 00 bnd jmp *0x2f5d(%rip) # 3fc8 <printf@GLIBC_2.2.5>106b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)0000000000001070 <gets@plt>:1070: f3 0f 1e fa endbr64 1074: f2 ff 25 55 2f 00 00 bnd jmp *0x2f55(%rip) # 3fd0 <gets@GLIBC_2.2.5>107b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)Disassembly of section .text:0000000000001080 <_start>:1080: f3 0f 1e fa endbr64 1084: 31 ed xor %ebp,%ebp1086: 49 89 d1 mov %rdx,%r91089: 5e pop %rsi108a: 48 89 e2 mov %rsp,%rdx108d: 48 83 e4 f0 and $0xfffffffffffffff0,%rsp1091: 50 push %rax1092: 54 push %rsp1093: 45 31 c0 xor %r8d,%r8d1096: 31 c9 xor %ecx,%ecx1098: 48 8d 3d 0e 01 00 00 lea 0x10e(%rip),%rdi # 11ad <main>109f: ff 15 33 2f 00 00 call *0x2f33(%rip) # 3fd8 <__libc_start_main@GLIBC_2.34>10a5: f4 hlt 10a6: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)10ad: 00 00 00 00000000000010b0 <deregister_tm_clones>:10b0: 48 8d 3d 59 2f 00 00 lea 0x2f59(%rip),%rdi # 4010 <__TMC_END__>10b7: 48 8d 05 52 2f 00 00 lea 0x2f52(%rip),%rax # 4010 <__TMC_END__>10be: 48 39 f8 cmp %rdi,%rax10c1: 74 15 je 10d8 <deregister_tm_clones+0x28>10c3: 48 8b 05 16 2f 00 00 mov 0x2f16(%rip),%rax # 3fe0 <_ITM_deregisterTMCloneTable@Base>10ca: 48 85 c0 test %rax,%rax10cd: 74 09 je 10d8 <deregister_tm_clones+0x28>10cf: ff e0 jmp *%rax10d1: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)10d8: c3 ret 10d9: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)00000000000010e0 <register_tm_clones>:10e0: 48 8d 3d 29 2f 00 00 lea 0x2f29(%rip),%rdi # 4010 <__TMC_END__>10e7: 48 8d 35 22 2f 00 00 lea 0x2f22(%rip),%rsi # 4010 <__TMC_END__>10ee: 48 29 fe sub %rdi,%rsi10f1: 48 89 f0 mov %rsi,%rax10f4: 48 c1 ee 3f shr $0x3f,%rsi10f8: 48 c1 f8 03 sar $0x3,%rax10fc: 48 01 c6 add %rax,%rsi10ff: 48 d1 fe sar %rsi1102: 74 14 je 1118 <register_tm_clones+0x38>1104: 48 8b 05 e5 2e 00 00 mov 0x2ee5(%rip),%rax # 3ff0 <_ITM_registerTMCloneTable@Base>110b: 48 85 c0 test %rax,%rax110e: 74 08 je 1118 <register_tm_clones+0x38>1110: ff e0 jmp *%rax1112: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)1118: c3 ret 1119: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)0000000000001120 <__do_global_dtors_aux>:1120: f3 0f 1e fa endbr64 1124: 80 3d e5 2e 00 00 00 cmpb $0x0,0x2ee5(%rip) # 4010 <__TMC_END__>112b: 75 2b jne 1158 <__do_global_dtors_aux+0x38>112d: 55 push %rbp112e: 48 83 3d c2 2e 00 00 cmpq $0x0,0x2ec2(%rip) # 3ff8 <__cxa_finalize@GLIBC_2.2.5>1135: 00 1136: 48 89 e5 mov %rsp,%rbp1139: 74 0c je 1147 <__do_global_dtors_aux+0x27>113b: 48 8b 3d c6 2e 00 00 mov 0x2ec6(%rip),%rdi # 4008 <__dso_handle>1142: e8 09 ff ff ff call 1050 <__cxa_finalize@plt>1147: e8 64 ff ff ff call 10b0 <deregister_tm_clones>114c: c6 05 bd 2e 00 00 01 movb $0x1,0x2ebd(%rip) # 4010 <__TMC_END__>1153: 5d pop %rbp1154: c3 ret 1155: 0f 1f 00 nopl (%rax)1158: c3 ret 1159: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)0000000000001160 <frame_dummy>:1160: f3 0f 1e fa endbr64 1164: e9 77 ff ff ff jmp 10e0 <register_tm_clones>0000000000001169 <function>:1169: f3 0f 1e fa endbr64 116d: 55 push %rbp116e: 48 89 e5 mov %rsp,%rbp1171: 48 83 ec 30 sub $0x30,%rsp1175: 89 7d dc mov %edi,-0x24(%rbp)1178: 89 75 d8 mov %esi,-0x28(%rbp)117b: 48 8d 45 ec lea -0x14(%rbp),%rax117f: 48 89 c7 mov %rax,%rdi1182: b8 00 00 00 00 mov $0x0,%eax1187: e8 e4 fe ff ff call 1070 <gets@plt>118c: 48 8d 45 ec lea -0x14(%rbp),%rax1190: 48 83 c0 1c add $0x1c,%rax1194: 48 89 45 f8 mov %rax,-0x8(%rbp)1198: 48 8b 45 f8 mov -0x8(%rbp),%rax119c: 48 8b 00 mov (%rax),%rax119f: 48 8d 50 07 lea 0x7(%rax),%rdx11a3: 48 8b 45 f8 mov -0x8(%rbp),%rax11a7: 48 89 10 mov %rdx,(%rax)11aa: 90 nop11ab: c9 leave 11ac: c3 ret 00000000000011ad <main>:11ad: f3 0f 1e fa endbr64 11b1: 55 push %rbp11b2: 48 89 e5 mov %rsp,%rbp11b5: 48 83 ec 10 sub $0x10,%rsp11b9: c7 45 fc 00 00 00 00 movl $0x0,-0x4(%rbp)11c0: be 02 00 00 00 mov $0x2,%esi11c5: bf 01 00 00 00 mov $0x1,%edi11ca: e8 9a ff ff ff call 1169 <function>11cf: c7 45 fc 01 00 00 00 movl $0x1,-0x4(%rbp)11d6: 8b 45 fc mov -0x4(%rbp),%eax11d9: 89 c6 mov %eax,%esi11db: 48 8d 05 22 0e 00 00 lea 0xe22(%rip),%rax # 2004 <_IO_stdin_used+0x4>11e2: 48 89 c7 mov %rax,%rdi11e5: b8 00 00 00 00 mov $0x0,%eax11ea: e8 71 fe ff ff call 1060 <printf@plt>11ef: 90 nop11f0: c9 leave 11f1: c3 ret Disassembly of section .fini:00000000000011f4 <_fini>:11f4: f3 0f 1e fa endbr64 11f8: 48 83 ec 08 sub $0x8,%rsp11fc: 48 83 c4 08 add $0x8,%rsp1200: c3 ret
这个asm汇编程序的同样主要涉及到栈操作的为function和main函数,这里就不再重复上述的注释过程
main函数的栈帧变化与上面的相同
lea -0x14(%rbp),%rax
mov %rax,%rdi
mov $0x0,%eax 将 buffer 地址传给寄存器 rdi
call 1070 <gets@plt> 调用 gets(buffer)
gets函数结束时
那么我们来分析解注释及在调用gets函数后的变化
lea -0x14(%rbp),%rax 计算距离当前 %rbp 20 个字节的地址,并将其存储到 %rax 中。
add $0x1c,%rax 指令将 %rax中的值加上 0x1c,执行(long *) ((long)buffer+28),此时rsp指向rbp+8即ret_function位置
mov %rax,-0x8(%rbp) 将%rax的值存储到距离当前%rbp8个字节的位置,即将ret_function的地址传给ret
mov -0x8(%rbp),%rax 将ret值传给rax
mov (%rax),%rax
lea 0x7(%rax),%rdx将 rax + 0x7的地址传给rdx
mov -0x8(%rbp),%rax将ret值传给rax
mov %rdx,(%rax) 将 rax + 0x7 的值传给 ret_function
nop; leave; ret 返回到 ret_function(0x11cf+0x7=0x11d6) 中
因此返回main函数时不会执行0x11d6的命令即movl $0x1,-0x4(%rbp)作用为将x=1
因此最终程序会输出0
- 思考注释的源码语句,在你的系统环境和编译器设置下,是否偏移量28和7能够实现跳过main函数中“x=1;”语句的功能?如果不能,在你的系统/编译器设置下,这两个偏移量应设置为多少?
根据上述分析和测试结果能
- 解释被注释的源码语句,是如何在源码层面实现修改返回指令指针的?
%rax lea 0x7(%rax),%rdx将 rax + 0x7的地址传给rdx mov -0x8(%rbp),%rax将ret值传给rax mov %rdx,(%rax)` 将 rax + 0x7 的值传给 ret_function
[外链图片转存中…(img-71yUOgqP-1690513044497)]
nop; leave; ret 返回到 ret_function(0x11cf+0x7=0x11d6) 中
因此返回main函数时不会执行0x11d6的命令即movl $0x1,-0x4(%rbp)作用为将x=1
因此最终程序会输出0
- 思考注释的源码语句,在你的系统环境和编译器设置下,是否偏移量28和7能够实现跳过main函数中“x=1;”语句的功能?如果不能,在你的系统/编译器设置下,这两个偏移量应设置为多少?
根据上述分析和测试结果能
- 解释被注释的源码语句,是如何在源码层面实现修改返回指令指针的?
根据 function函数栈帧的排列分布,该代码中ret获取buffer数组的地址后,再加上28(0x1c),便获取到了function函数返回地址所在的空间,将该值加上 7(0x7)后,在函数返回main 函数时,便会跳过x=1的执行
