在[剥削的艺术]示例中由[ebp-0xc]而不是[ebp-4]混淆 [英] Confused by [ebp-0xc] instead of [ebp-4] in Art of Exploitation example

问题描述

我正在阅读第二版《黑客:剥削的艺术》 并在简单的C程序中

I am reading the book Hacking: The Art of Exploitation, 2nd Edition and in the simple C program

#include <stdio.h>
int main()
{
    int i;  
    for (i = 0; i < 10; i++)
    {
        puts("Hello, world!\n");
    }
    return 0;
}

该书列出了gdb调试程序将首先修改ebp寄存器:

The book lists that the gdb debug will modify the ebp register first:

(gdb) x/i $eip 0x8048384 <main+16>: mov DWORD PTR [ebp-4],0x0

正如它解释的那样此汇编指令会将0的值移入位于的内存中在EBP寄存器中存储的地址处减去4.这是C变量-我可以存储在内存中吗?我被声明为使用4个字节的整数x86处理器上的内存

这对我来说很有意义，但是当我在非常旧的I386"上测试准确的踏板时，Linux笔记本电脑，这就是我得到的:

This makes sense for me, but when I test the exactly step on my "very old I386" Linux Laptop, here is what I got:

(gdb) x/i $eip => 0x4011b6 <main+29>:   mov    DWORD PTR [ebp-0xc],0x0

因此，在我的笔记本电脑上，它显示的是[ebp-0xc]，而不是[ebp-4].根据我的理解，"0xc"因为十六进制将是12，所以它将是12再见?如果是这样，为什么?

So on my laptop, it shows [ebp-0xc], instead of [ebp-4]. Based on my understanding, "0xc" as Hex will be 12, so it will be 12 byes? If so, why?

这是我的笔记本电脑上整个组装转储的简单程序(gdb)拆解主程序

Here is the whole assemble dump on my laptop for this simple program (gdb) disassemble main

Dump of assembler code for function main:
   0x00401199 <+0>: lea    ecx,[esp+0x4]
   0x0040119d <+4>: and    esp,0xfffffff0
   0x004011a0 <+7>: push   DWORD PTR [ecx-0x4]
   0x004011a3 <+10>:    push   ebp
   0x004011a4 <+11>:    mov    ebp,esp
   0x004011a6 <+13>:    push   ebx
   0x004011a7 <+14>:    push   ecx
   0x004011a8 <+15>:    sub    esp,0x10
   0x004011ab <+18>:    call   0x4010a0 <__x86.get_pc_thunk.bx>
   0x004011b0 <+23>:    add    ebx,0x2e50
=> 0x004011b6 <+29>:    mov    DWORD PTR [ebp-0xc],0x0
   0x004011bd <+36>:    jmp    0x4011d5 <main+60>
   0x004011bf <+38>:    sub    esp,0xc
   0x004011c2 <+41>:    lea    eax,[ebx-0x1ff8]
   0x004011c8 <+47>:    push   eax
   0x004011c9 <+48>:    call   0x401030 <puts@plt>
   0x004011ce <+53>:    add    esp,0x10
   0x004011d1 <+56>:    add    DWORD PTR [ebp-0xc],0x1
   0x004011d5 <+60>:    cmp    DWORD PTR [ebp-0xc],0x9
   0x004011d9 <+64>:    jle    0x4011bf <main+38>
   0x004011db <+66>:    mov    eax,0x0
   0x004011e0 <+71>:    lea    esp,[ebp-0x8]
   0x004011e3 <+74>:    pop    ecx
   0x004011e4 <+75>:    pop    ebx
   0x004011e5 <+76>:    pop    ebp
   0x004011e6 <+77>:    lea    esp,[ecx-0x4]
   0x004011e9 <+80>:    ret    
End of assembler dump.

推荐答案

sub esp，0x10

在堆栈上为变量和其他内容分配了16个字节(四个寄存器的值)的空间.

allocated 16 bytes (four registers worth) of space on the stack for variables and other stuff.

mov DWORD PTR [ebp-0xc]，0x0

似乎是对 ebp-0xc 插槽的第一个引用，并且已将其初始化为零.在 main + 60 处查看 cmp DWORD PTR [ebp-0xc]，0x9 之后，我确定这是初始化时的 i = 0 for 循环的一部分.

appears to be the first reference to slot ebp-0xc, and it's being initialized to zero. After looking at cmp DWORD PTR [ebp-0xc],0x9 at main+60 I'm certain this is i = 0 from the initialization section of the for loop.

编译器可以将变量放在要放置的位置，并且在确定性的情况下，它会随编译器的修补程序版本而变化.

The compiler can put variables where it will, and while deterministic it changes with patch versions of the compiler.

这篇关于在[剥削的艺术]示例中由[ebp-0xc]而不是[ebp-4]混淆的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！