我正在使用缓冲区溢出攻击程序进行类分配。我提供了C代码以及反汇编代码,我的一个工作是注释反汇编代码。我不需要任何人来诠释整个事情,但我的评论是否在正确的轨道上?如果没有,可以注释几行,让我走上正轨。谢谢!
#include <stdio.h>
#include <stdlib.h>
#include <ctype.h>
/* Like gets, except that characters are typed as pairs of hex digits.
Nondigit characters are ignored. Stops when encounters newline */
char *getxs(char *dest)
{
int c;
int even = 1; /* Have read even number of digits */
int otherd = 0; /* Other hex digit of pair */
char* sp = dest;
while ((c = getchar()) != EOF && c != '\n')
{
if (isxdigit(c))
{
int val;
if ('0' <= c && c <= '9')
val = c - '0';
else if ('A' <= c && c <= 'F')
val = c - 'A' + 10;
else
val = c - 'a' + 10;
if (even)
{
otherd = val;
even = 0;
}
else
{
*sp++ = otherd * 16 + val;
even = 1;
}
}
}
*sp++ = '\0';
return dest;
}
int getbuf()
{
char buf[12];
getxs(buf);
return 1;
}
void test()
{
int val;
printf("Type hex string: ");
val = getbuf();
printf("getbuf returned 0x%x\n", val);
}
int main()
{
int buf[16];
/* This little hack is an attempt to get the stack to be in a
stable position
*/
int offset = (((int)buf) & 0xFFF);
int* space = (int*) alloca(offset);
*space = 0; /* So that we don't get complaint of unused variable */
test();
return 0;
}
带注释的反汇编是:
buffer.o: file format elf32-i386
disassembly of section .text:
0000000 <getxs>:
0: 55 push %ebp // pushes stack pointer to top
1: 89 e5 mov %esp,%ebp // stack pointer = c
3: 83 ec 28 sub $0x28,%esp // allocates space for c
6: c7 45 e8 01 00 00 00 movl $0x1,-0x18(%ebp) // even = 1
d: c7 45 ec 00 00 00 00 movl $0x0,-0x14(%ebp) // otherd = 0
14: 8b 45 08 mov 0x8(%ebp),%eax // sp = dest
17: 89 45 f0 mov %eax,-0x10(%ebp) // conditional setup
1a: e9 89 00 00 00 jmp a8 <getxs+0xa8>
1f: e8 fc ff ff ff call 20 <getxs+0x20>
24: 8b 00 mov (%eax),%eax
26: 8b 55 e4 mov -0x1c(%ebp),%edx
29: 01 d2 add %edx,%edx
2b: 01 d0 movzwl (%eax),%eax
30: 0f b7 c0 add %edx,%eax
2d: 0f b7 00 movzwl %ax,%eax
33: 25 00 10 00 00 and $0x1000,%eax
38: 85 c0 test %eax,%eax
3a: 74 6c je a8 <getxs+0xa8>
3c: 83 7d e4 2f cmpl $0x2f,-0x1c(%ebp)
40: 7e 11 jle 53 <getxs+0x53>
42: 83 7d e4 39 cmpl $0x39,-0x1c(%ebp)
46: 7f 0b jg 53 <getxs+0x53>
48: 8b 45 e4 mov -0x1c(%ebp),%eax
4b: 83 e8 30 sub $0x30,%eax
4e: 89 45 f4 mov %eax,-0xc(%ebp)
51: eb 20 jmp 73 <getxs+0x73>
53: 83 7d e4 40 cmpl $0x40,-0x1c(%ebp)
57: 7e 11 jle 6a <getxs+0x6a>
59: 83 7d e4 46 cmpl $0x46,-0x1c(%ebp)
5d: 7f 0b jg 6a <getxs+0x6a>
5f: 8b 45 e4 mov -0x1c(%ebp),%eax
62: 83 e8 37 sub $0x37,%eax
65: 89 45 f4 mov %eax,-0xc(%ebp)
68: eb 09 jmp 73 <getxs+0x73>
6a: 8b 45 e4 mov -0x1c(%ebp),%eax
6d: 83 e8 57 sub $0x57,%eax
70: 89 45 f4 mov %eax,-0xc(%ebp)
73: 83 7d e8 00 cmpl $0x0,-0x18(%ebp)
77: 74 0f je 88 <getxs+0x88>
79: 8b 45 f4 mov -0xc(%ebp),%eax
7c: 89 45 ec mov %eax,-0x14(%ebp)
7f: c7 45 e8 00 00 00 00 movl $0x0,-0x18(%ebp)
86: eb 20 jmp a8 <getxs+0xa8>
88: 8b 45 ec mov -0x14(%ebp),%eax
8b: 89 c2 mov %eax,%edx
8d: c1 e2 04 shl $0x4,%edx
90: 8b 45 f4 mov -0xc(%ebp),%eax
93: 8d 04 02 lea (%edx,%eax,1),%eax
96: 89 c2 mov %eax,%edx
98: 8b 45 f0 mov -0x10(%ebp),%eax
9b: 88 10 mov %dl,(%eax)
9d: 83 45 f0 01 addl $0x1,-0x10(%ebp)
a1: c7 45 e8 01 00 00 00 movl $0x1,-0x18(%ebp)
a8: e8 fc ff ff ff call a9 <getxs+0xa9>
ad: 89 45 e4 mov %eax,-0x1c(%ebp)
b0: 83 7d e4 ff cmpl $0xffffffff,-0x1c(%ebp)
b4: 74 0a je c0 <getxs+0xc0>
b6: 83 7d e4 0a cmpl $0xa,-0x1c(%ebp)
ba: 0f 85 5f ff ff ff jne 1f <getxs+0x1f>
c0: 8b 45 f0 mov -0x10(%ebp),%eax
c3: c6 00 00 movb $0x0,(%eax)
c6: 83 45 f0 01 addl $0x1,-0x10(%ebp)
ca: 8b 45 08 mov 0x8(%ebp),%eax
cd: c9 leave
ce: c3 ret
00000cf <getbuf>:
cf: 55 push %ebp // pushes stack pointer to the top
d0: 89 e5 mov %esp,%ebp // stack pointer = buf[12]
d2: 83 ec 28 sub $0x28,%esp // allocates space (40 bits)
d5: 8d 45 ec lea -0x14(%ebp),%eax // rv = stack pointer - 20
d8: 89 04 24 mov %eax,(%esp)
db: e8 fc ff ff ff call dc <getbuf+0xd>
e0: b8 01 00 00 00 mov $0x1,%eax // return 1 -- want to return ef be ad de
e5: c9 leave
e6: c3 ret
00000e7 <test>:
e7: 55 push %ebp
e8: 89 e5 mov %esp,%ebp
ea: 83 ec 28 sub $0x28,%esp
ed: b8 00 00 00 00 mov $0x0,%eax
f2: 89 04 24 mov %eax,(%esp)
f5: e8 fc ff ff ff call f6 <test+0xf>
fa: e8 fc ff ff ff call fb <test+0x14>
ff: 89 45 f4 mov %eax,-0xc(%ebp)
102: b8 13 00 00 00 mov $0x13,%eax
107: 8b 55 f4 mov -0xc(%ebp),%edx
10a: 89 54 24 04 mov %edx,0x4(%esp)
10e: 89 04 24 mov %eax,(%esp)
111: e8 fc ff ff ff call 112 <test+0x2b>
116: c9 leave
117: c3 ret
0000118 <main>:
118: 8d 4c 24 04 lea 0x4(%esp),%ecx
11c: 83 e4 f0 and $0xfffffff0,%esp
11f: ff 71 fc pushl -0x4(%ecx)
122: 55 push %ebp
123: 89 e5 mov %esp,%ebp
125: 51 push %ecx
126: 83 ec 54 sub $0x54,%esp
129: 8d 45 b0 lea -0x50(%ebp),%eax
12c: 25 ff 0f 00 00 and $0xfff,%eax
131: 89 45 f0 mov %eax,-0x10(%ebp)
134: 8b 45 f0 mov -0x10(%ebp),%eax
137: 83 c0 0f add $0xf,%eax
13a: 83 c0 0f add $0xf,%eax
13d: c1 e8 04 shr $0x4,%eax
140: c1 e0 04 shl $0x4,%eax
143: 29 c4 sub %eax,%esp
145: 89 e0 mov %esp,%eax
147: 83 c0 0f add $0xf,%eax
14a: c1 e8 04 shr $0x4,%eax
14d: c1 e0 04 shl $0x4,%eax
150: 89 45 f4 mov %eax,-0xc(%ebp)
153: 8b 45 f4 mov -0xc(%ebp),%eax
156: c7 00 00 00 00 00 movl $0x0,(%eax)
15c: e8 fc ff ff ff call 15d <main+0x45>
161: b8 00 00 00 00 mov $0x0,%eax
166: 8b 4d fc mov -0x4(%ebp),%ecx
169: c9 leave
16a: 8d 61 fc lea -0x4(%ecx),%esp
16d: c3 ret
答案 0 :(得分:3)
注释应描述指令或指令块的意图。它不应该只是鹦鹉指令所做的事情(错误地)。
在第一行:
0: 55 push %ebp // pushes stack pointer to top
我们可以看到指令将基指针推到堆栈上,但是注释错误地指出我们正在推动堆栈上的堆栈指针。
相反,指令序列:
0: 55 push %ebp // pushes stack pointer to top
1: 89 e5 mov %esp,%ebp // stack pointer = c
3: 83 ec 28 sub $0x28,%esp // allocates space for c
是标准函数入口前导码,用于建立堆栈帧并分配0x28字节的本地存储。记录堆栈帧的布局很有用,包括函数参数的位置:
0x08(%ebp): dest
0x04(%ebp): return-address
0x00(%ebp): prev %ebp
-0x04(%ebp): ?
-0x08(%ebp): ?
-0x0c(%ebp): ?
-0x10(%ebp): sp
-0x14(%ebp): otherd
-0x18(%ebp): even
-0x1c(%ebp): ?
-0x20(%ebp): ?
-0x24(%ebp): ?
-0x28(%ebp): ?
以下内容:
14: 8b 45 08 mov 0x8(%ebp),%eax // sp = dest
17: 89 45 f0 mov %eax,-0x10(%ebp) // conditional setup
%eax实际上不是sp,当它从dest的函数参数移动到0x8(%ebp)处的sp时暂时保留-0x10(%ebp) {1}}。没有&#34;条件设置&#34;。