EIP寄存器值超过100个字节 [英] EIP register value goes over 100 bytes

问题描述

嘿，我很难解决我的作业.

Hey I am having hard time solving my homework.

然后x86处理器执行命令EIP寄存器(计数器)的值增加1个字节或几个字节，具体取决于命令的类型.我们必须使用哪些指令才能进行EIP值可能超过100个字节?

Then x86 processor executes commands EIP register(counter) value increases by 1 byte or by a few bytes depending on command's type. Which instructions we have to use so EIP value may go over 100 bytes?

答案为: JMP |添加|SUB |推|JNZ |MUL |致电|JZ

据我所知，EIP是特殊情况寄存器，我们不能使用.它称为扩展指令指针.为了将其值增加到100个字节以上，我们需要查找每个命令要为EIP值添加多少?

推荐答案

这些指令中的任何一条都可以对内存操作数(或其他取决于指令的方式)进行 #PF (页面错误异常)，并且将CS:EIP更改为从IDT加载的全新值.例如 push dword [0] .这将包括将EIP更改超过100，除非您当前的EIP在页面错误异常处理程序的地址的100字节之内.

Any of those instructions could #PF (page fault exception) on a memory operand (or other ways depending on the instruction) and change CS:EIP to a totally new value loaded from the IDT. e.g. push dword [0]. That would include changing EIP by more than 100 unless your current EIP is within 100 bytes of the page-fault exception handler's address.

或者，如果我们正在谈论异常处理程序返回的位置，如果您的进程安装了针对SIGSEGV的 signal 处理程序，则内核可以传递该信号，从而有效地将您进程中的EIP更改为segfault信号处理程序.

Or if we're talking about where the exception handler returns, if your process had a signal handler installed for SIGSEGV, the kernel could deliver that signal, effectively changing EIP within your process to your segfault signal handler.

但是我认为问题的目的在于将EIP更改特定的所需 relative 量，例如到达另一个代码块.(也不要更改CS，即代码段，因此，如果您要从那里开始，则将停留在用户模式.)与当前EIP相距100个字节 .措辞很尴尬，可以理解为将EIP设置为任何 absolute 值> 100，但是x86分支是相对的，问题就更有意义了.

But I think the intent of the question is about changing EIP by a specific desired relative amount, e.g. to reach another block of code. (Also not changing CS, the code-segment, so you stay in user-mode if you were there to start with.) I.e. 100 bytes away from the current EIP. The phrasing is awkward and could be read as setting EIP to any absolute value > 100, but x86 branches are relative and the question makes more sense that way.

正如@ zx485所指出的，您需要一条控制转移指令，又称跳转或分支.386(即具有EIP而不是16位IP的任何计算机)支持 jcc rel32 有条件的近距离跳转以及较短的 jcc rel8 短跳转，因此可以达到条件跳转整个32位地址空间中的任何位置，与 jmp rel32 和 call rel32 相同. https://www.felixcloutier.com/x86/jcc .

As @zx485 points out, you need a control transfer instruction, aka a jump or branch. 386 (i.e. any machine with an EIP not just 16-bit IP) supports jcc rel32 conditional near jump as well as the shorter jcc rel8 short jump, so conditional jumps can reach anywhere in the entire 32-bit address space, same as jmp rel32 and call rel32. https://www.felixcloutier.com/x86/jcc.

但是相对于指令末尾，甚至 jcc rel8 (例如JZ或JNZ)或 jmp rel8 编码也可以达到-128到+127字节.(带符号的8位2的补码分支位移.)

But even a jcc rel8 (like JZ or JNZ) or jmp rel8 encoding can reach from -128 to +127 bytes relative to the end of the instruction. (Signed 8-bit 2's complement branch displacement.)

这篇关于EIP寄存器值超过100个字节的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！