在[剥削的艺术]示例中由[ebp-0xc]而不是[ebp-4]混淆 [英] Confused by [ebp-0xc] instead of [ebp-4] in Art of Exploitation example
问题描述
我正在阅读第二版《黑客:剥削的艺术》 并在简单的C程序中
I am reading the book Hacking: The Art of Exploitation, 2nd Edition and in the simple C program
#include <stdio.h>
int main()
{
int i;
for (i = 0; i < 10; i++)
{
puts("Hello, world!\n");
}
return 0;
}
该书列出了gdb调试程序将首先修改ebp寄存器:
The book lists that the gdb debug will modify the ebp register first:
(gdb) x/i $eip 0x8048384 <main+16>: mov DWORD PTR [ebp-4],0x0
正如它解释的那样此汇编指令会将0的值移入位于的内存中在EBP寄存器中存储的地址处减去4.这是C变量-我可以存储在内存中吗?我被声明为使用4个字节的整数x86处理器上的内存
这对我来说很有意义,但是当我在非常旧的I386"上测试准确的踏板时,Linux笔记本电脑,这就是我得到的:
This makes sense for me, but when I test the exactly step on my "very old I386" Linux Laptop, here is what I got:
(gdb) x/i $eip => 0x4011b6 <main+29>: mov DWORD PTR [ebp-0xc],0x0
因此,在我的笔记本电脑上,它显示的是[ebp-0xc],而不是[ebp-4].根据我的理解,"0xc"因为十六进制将是12,所以它将是12再见?如果是这样,为什么?
So on my laptop, it shows [ebp-0xc], instead of [ebp-4]. Based on my understanding, "0xc" as Hex will be 12, so it will be 12 byes? If so, why?
这是我的笔记本电脑上整个组装转储的简单程序(gdb)拆解主程序
Here is the whole assemble dump on my laptop for this simple program (gdb) disassemble main
Dump of assembler code for function main:
0x00401199 <+0>: lea ecx,[esp+0x4]
0x0040119d <+4>: and esp,0xfffffff0
0x004011a0 <+7>: push DWORD PTR [ecx-0x4]
0x004011a3 <+10>: push ebp
0x004011a4 <+11>: mov ebp,esp
0x004011a6 <+13>: push ebx
0x004011a7 <+14>: push ecx
0x004011a8 <+15>: sub esp,0x10
0x004011ab <+18>: call 0x4010a0 <__x86.get_pc_thunk.bx>
0x004011b0 <+23>: add ebx,0x2e50
=> 0x004011b6 <+29>: mov DWORD PTR [ebp-0xc],0x0
0x004011bd <+36>: jmp 0x4011d5 <main+60>
0x004011bf <+38>: sub esp,0xc
0x004011c2 <+41>: lea eax,[ebx-0x1ff8]
0x004011c8 <+47>: push eax
0x004011c9 <+48>: call 0x401030 <puts@plt>
0x004011ce <+53>: add esp,0x10
0x004011d1 <+56>: add DWORD PTR [ebp-0xc],0x1
0x004011d5 <+60>: cmp DWORD PTR [ebp-0xc],0x9
0x004011d9 <+64>: jle 0x4011bf <main+38>
0x004011db <+66>: mov eax,0x0
0x004011e0 <+71>: lea esp,[ebp-0x8]
0x004011e3 <+74>: pop ecx
0x004011e4 <+75>: pop ebx
0x004011e5 <+76>: pop ebp
0x004011e6 <+77>: lea esp,[ecx-0x4]
0x004011e9 <+80>: ret
End of assembler dump.
推荐答案
sub esp,0x10
在堆栈上为变量和其他内容分配了16个字节(四个寄存器的值)的空间.
allocated 16 bytes (four registers worth) of space on the stack for variables and other stuff.
mov DWORD PTR [ebp-0xc],0x0
似乎是对 ebp-0xc
插槽的第一个引用,并且已将其初始化为零.在 main + 60
处查看 cmp DWORD PTR [ebp-0xc],0x9
之后,我确定这是初始化时的 i = 0
for
循环的一部分.
appears to be the first reference to slot ebp-0xc
, and it's being initialized to zero. After looking at cmp DWORD PTR [ebp-0xc],0x9
at main+60
I'm certain this is i = 0
from the initialization section of the for
loop.
编译器可以将变量放在要放置的位置,并且在确定性的情况下,它会随编译器的修补程序版本而变化.
The compiler can put variables where it will, and while deterministic it changes with patch versions of the compiler.
这篇关于在[剥削的艺术]示例中由[ebp-0xc]而不是[ebp-4]混淆的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!