0
C代碼是根據這樣的,逆向工程(堆棧溢出攻擊)與strcpy的
void foo (char *x){
int buf[1];
strcpy((char *) buf, x);
}
void callfoo() {
foo("abcdefghi");
}
和彙編代碼FOO的一部分,是
leal 0xfffffffc(%ebp), %eax
pushl %eax
call 80483c4 <strcpy>
movl %ebp, %esp
popl %ebp
ret
我預期的strcpy變得%EAX是它填充了buf,所以它填充到%ebp-4,%ebp,%ebp + 4(舊%ebp)%ebp + 8(foo的返回地址)..... 我的攻擊字符串是「abcdefghi」
緩衝區將被填充在cas E,
%ebp-0x4 = 64636261
%ebp = 68676665
%ebp+0x4 = 08040069
但解決方案表示,將填補%EBP〜的%ebp + 0x8中。我誤解了堆棧結構?
解決方案說,
B. Immediately before the ret instruction at address of foo, what is the value of the frame pointer register %ebp?
%ebp = 0x68676665
C. Immediately after the ret instruction of foo, what is the value of the program counter register %eip?
%eip = %ebp+8(it is changed by strcpy)
思考%ebp'的'作爲指針。它指向一個地址「buf」,它將嘗試寫入你的10個字節的字符串。 –