该指令的作用是什么?:-mov%gs:0x14,%eax [英] what does this instruction do?:- mov %gs:0x14,%eax
问题描述
你好&问候所有人.我有一个C程序,基本上是为测试Buffer溢出而编写的.
My hello & regards to all. I have a C program, basically wrote for testing Buffer overflow.
#include<stdio.h>
void display()
{
char buff[8];
gets(buff);
puts(buff);
}
main()
{
display();
return(0);
}
现在,我使用GDB拆卸显示器及其主要部分.代码:-
Now i disassemble display and main sections of it using GDB. The code:-
函数main的汇编代码转储:
Dump of assembler code for function main:
0x080484ae <+0>: push %ebp # saving ebp to stack
0x080484af <+1>: mov %esp,%ebp # saving esp in ebp
0x080484b1 <+3>: call 0x8048474 <display> # calling display function
0x080484b6 <+8>: mov $0x0,%eax # move 0 into eax , but WHY ????
0x080484bb <+13>: pop %ebp # remove ebp from stack
0x080484bc <+14>: ret # return
汇编程序转储结束.
用于功能显示的汇编代码转储:
Dump of assembler code for function display:
0x08048474 <+0>: push %ebp #saves ebp to stack
0x08048475 <+1>: mov %esp,%ebp # saves esp to ebp
0x08048477 <+3>: sub $0x10,%esp # making 16 bytes space in stack
0x0804847a <+6>: mov %gs:0x14,%eax # what does it mean ????
0x08048480 <+12>: mov %eax,-0x4(%ebp) # move eax contents to 4 bytes lower in stack
0x08048483 <+15>: xor %eax,%eax # xor eax with itself (but WHY??)
0x08048485 <+17>: lea -0xc(%ebp),%eax #Load effective address of 12 bytes
lower placed value ( WHY???? )
0x08048488 <+20>: mov %eax,(%esp) #make esp point to the address inside of eax
0x0804848b <+23>: call 0x8048374 <gets@plt> # calling get, what is "@plt" ????
0x08048490 <+28>: lea -0xc(%ebp),%eax # LEA of 12 bytes lower to eax
0x08048493 <+31>: mov %eax,(%esp) # make esp point to eax contained address
0x08048496 <+34>: call 0x80483a4 <puts@plt> # again what is "@plt" ????
0x0804849b <+39>: mov -0x4(%ebp),%eax # move (ebp - 4) location's contents to eax
0x0804849e <+42>: xor %gs:0x14,%eax # # again what is this ????
0x080484a5 <+49>: je 0x80484ac <display+56> # Not known to me
0x080484a7 <+51>: call 0x8048394 <__stack_chk_fail@plt> # not known to me
0x080484ac <+56>: leave # a new instruction, not known to me
0x080484ad <+57>: ret # return to MAIN's next instruction
汇编程序转储结束.
因此,您应该考虑我的作业.剩下的所有代码对我来说都是已知的,除了几行.我包括一个大的为什么????"以及每行前面的注释中的其他问题.对我来说,第一个障碍是"mov%gs:0x14,%eax"指令,在此指令之后我无法制作流程图.有人请我解释一下,这几条指令是什么意思,在程序中做什么?谢谢...
So folks, you should consider my homework. Rest all of the code is known to me, except few lines. I have included a big "WHY ????" and some more questions in the comments ahead of each line. The first hurdle for me is "mov %gs:0x14,%eax" instruction, I cant make flow chart after this instruction. Somebody plz explain me, what these few instructions are meant for and doing what in the program? Thanks...
推荐答案
0x080484b6 <+8>: mov $0x0,%eax # move 0 into eax , but WHY ????
您没有这个吗?:
return(0);
它们可能是相关的. :)
They are probably related. :)
0x0804847a <+6>: mov %gs:0x14,%eax # what does it mean ????
这意味着从地址gs:0x14的内存中向eax读取4个字节. gs是段寄存器.通过该寄存器引用最可能的线程本地存储(AKA TLS).
It means reading 4 bytes into eax from memory at address gs:0x14. gs is a segment register. Most likely thread-local storage (AKA TLS) is referenced through this register.
0x08048483 <+15>: xor %eax,%eax # xor eax with itself (but WHY??)
不知道.可能与优化相关.
Don't know. Could be optimization-related.
0x08048485 <+17>: lea -0xc(%ebp),%eax #Load effective address of 12 bytes
lower placed value ( WHY???? )
它使eax指向存在于堆栈中的局部变量. sub $0x10,%esp为他们分配了一些空间.
It makes eax point to a local variable that lives on the stack. sub $0x10,%esp allocated some space for them.
0x08048488 <+20>: mov %eax,(%esp) #make esp point to the address inside of eax
错了.它将eax写入堆栈,到达堆栈顶部.它将作为堆栈参数传递给被调用的函数:
Wrong. It writes eax to the stack, to the stack top. It will be passed as an on-stack argument to the called function:
0x0804848b <+23>: call 0x8048374 <gets@plt> # calling get, what is "@plt" ????
我不知道.可能是一些名字修饰.
I don't know. Could be some name mangling.
现在,您应该已经猜到了什么是局部变量. buff,还有什么呢?
By now you should've guessed what local variable that was. buff, what else could it be?
0x080484ac <+56>: leave # a new instruction, not known to me
为什么不在CPU手册中查找?
Why don't you look it up in the CPU manual?
现在,我可能可以向您解释gs/TLS问题...
Now, I can probably explain you the gs/TLS thing...
0x08048474 <+0>: push %ebp #saves ebp to stack
0x08048475 <+1>: mov %esp,%ebp # saves esp to ebp
0x08048477 <+3>: sub $0x10,%esp # making 16 bytes space in stack
0x0804847a <+6>: mov %gs:0x14,%eax # what does it mean ????
0x08048480 <+12>: mov %eax,-0x4(%ebp) # move eax contents to 4 bytes lower in stack
...
0x0804849b <+39>: mov -0x4(%ebp),%eax # move (ebp - 4) location's contents to eax
0x0804849e <+42>: xor %gs:0x14,%eax # # again what is this ????
0x080484a5 <+49>: je 0x80484ac <display+56> # Not known to me
0x080484a7 <+51>: call 0x8048394 <__stack_chk_fail@plt> # not known to me
0x080484ac <+56>
因此,此代码从TLS中获取一个值(在gs:0x14处)并将其存储在保存的ebp值正下方(在ebp-4处).然后有get()和put()的东西.然后,此代码检查TLS值的副本是否未更改. xor %gs:0x14,%eax进行比较.
So, this code takes a value from the TLS (at gs:0x14) and stores it right below the saved ebp value (at ebp-4). Then there's your stuff with get() and put(). Then this code checks whether the copy of the value from the TLS is unchanged. xor %gs:0x14,%eax does the compare.
如果XORed值相同,则XOR的结果为0,flags.zf为1.否则,结果不是0,flags.zf为0.
If XORed values are the same, the result of the XOR is 0 and flags.zf is 1. Else, the result isn't 0 and flags.zf is 0.
je 0x80484ac <display+56>检查flags.zf,如果flags.zf = 1,则跳过call 0x8048394 <__stack_chk_fail@plt>.IOW,如果来自TLS的值的副本未更改,则跳过此调用.
je 0x80484ac <display+56> checks flags.zf and skips call 0x8048394 <__stack_chk_fail@plt> if flags.zf = 1. IOW, this call is skipped if the copy of the value from the TLS is unchanged.
这是怎么回事?这是尝试捕获缓冲区溢出的一种方法.如果写入超出缓冲区末尾,则将覆盖从TLS复制到堆栈的值.
What is that all about? That's a way to try to catch a buffer overflow. If you write beyond the end of the buffer, you will overwrite that value copied from the TLS to the stack.
为什么我们要从TLS中获取此值,为什么不只是一个恒定的硬编码值呢?我们可能希望使用不同的,非硬编码的值来更频繁地捕获溢出(因此TLS中的值将从程序的一次运行更改为另一次运行,并且在程序的不同线程中将有所不同).如果每次程序运行时都随机选择该值,则这也降低了攻击者成功利用缓冲区溢出的机会.
Why do we take this value from the TLS, why not just a constant, hard-coded value? We probably want to use different, non-hard-coded values to catch overflows more often (and so the value in the TLS will change from a run to another run of your program and it will be different in different threads of your program). That also lowers chances of successfully exploiting the buffer overflow by an attacker if the value is chosen randomly each time your program runs.
最后,如果发现该值的副本由于缓冲区溢出而被覆盖,call 0x8048394 <__stack_chk_fail@plt>将调用一个专用于执行任何必要操作的特殊函数,例如报告问题并终止程序.
Finally, if the copy of the value is found to have been overwritten due to a buffer overflow, call 0x8048394 <__stack_chk_fail@plt> will call a special function dedicated to doing whatever's necessary, e.g. reporting a problem and terminating the program.
这篇关于该指令的作用是什么?:-mov%gs:0x14,%eax的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
