c代码是这样的,
void foo (char *x){
int buf[1];
strcpy((char *) buf, x);
}
void callfoo() {
foo("abcdefghi");
}
和汇编代码foo的一部分是
leal 0xfffffffc(%ebp), %eax
pushl %eax
call 80483c4 <strcpy>
movl %ebp, %esp
popl %ebp
ret
我期望strcpy得到%eax用buf填充,所以它填充%ebp-4,%ebp,%ebp + 4(旧%ebp)%ebp + 8(foo的返回地址)。 .... 我的攻击字符串是&#34; abcdefghi&#34;
缓冲区将在案例下填充,
%ebp-0x4 = 64636261
%ebp = 68676665
%ebp+0x4 = 08040069
但是解决方案说它会填满%ebp~%ebp + 0x8。我误解了堆栈结构?
解决方案说,
B. Immediately before the ret instruction at address of foo, what is the value of the frame pointer register %ebp?
%ebp = 0x68676665
C. Immediately after the ret instruction of foo, what is the value of the program counter register %eip?
%eip = %ebp+8(it is changed by strcpy)
答案 0 :(得分:0)
我误解了推送指令。
推送指令是
pushl %ebp
与
相同subl 0x4, %esp
movl %ebp, (%esp)
所以strcpy填充到%ebp~%ebp + 0x8