我有一个函数m(int i,char c),它接受并返回“-abc ... xyz”之间的一个字符,并且还取一个整数i。
基本上我无法查看函数的源代码,但可以调用它并获取返回值。使用gdb / C,破解函数实际执行的最佳方法是什么?我已经尝试使用连续的字符和整数输入查找模式,但还没有提出任何内容。
如果有帮助,这里有一些测试返回值的结果,前两位是参数,最后一位是返回值:
0 a i
0 b l
0 c t
0 d x
0 e f
0 f v
1 a q
1 b i
1 c y
1 d e
2 a a
2 b y
2 c f
2 d n
反汇编提供以下内容:
0x00014354 <m+0>: save %sp, -144, %sp
0x00014358 <m+4>: st %i0, [ %fp + 0x44 ]
0x0001435c <m+8>: mov %i1, %g1
0x00014360 <m+12>: stb %g1, [ %fp + 0x48 ]
0x00014364 <m+16>: st %sp, [ %fp + -40 ]
0x00014368 <m+20>: mov 0x1b, %g1
0x0001436c <m+24>: stb %g1, [ %fp + -17 ]
0x00014370 <m+28>: clr [ %fp + -24 ]
0x00014374 <m+32>: ldub [ %fp + -17 ], %g1
0x00014378 <m+36>: sll %g1, 0x18, %g1
0x0001437c <m+40>: sra %g1, 0x18, %g1
0x00014380 <m+44>: add %g1, 7, %g1
0x00014384 <m+48>: srl %g1, 3, %g1
0x00014388 <m+52>: sll %g1, 3, %g1
0x0001438c <m+56>: sub %sp, %g1, %sp
0x00014390 <m+60>: add %sp, 0x5c, %g1
0x00014394 <m+64>: add %g1, 7, %g1
0x00014398 <m+68>: srl %g1, 3, %g1
0x0001439c <m+72>: sll %g1, 3, %g1
0x000143a0 <m+76>: st %g1, [ %fp + -44 ]
0x000143a4 <m+80>: mov 0x2d, %g1
0x000143a8 <m+84>: ld [ %fp + -44 ], %o4
0x000143ac <m+88>: stb %g1, [ %o4 ]
0x000143b0 <m+92>: mov 1, %g1
0x000143b4 <m+96>: st %g1, [ %fp + -28 ]
0x000143b8 <m+100>: ldub [ %fp + -17 ], %g1
0x000143bc <m+104>: sll %g1, 0x18, %g1
0x000143c0 <m+108>: sra %g1, 0x18, %o5
0x000143c4 <m+112>: ld [ %fp + -28 ], %g1
0x000143c8 <m+116>: cmp %o5, %g1
0x000143cc <m+120>: ble 0x14400 <m+172>
0x000143d0 <m+124>: nop
0x000143d4 <m+128>: ld [ %fp + -28 ], %g1
0x000143d8 <m+132>: ld [ %fp + -44 ], %o4
0x000143dc <m+136>: add %o4, %g1, %o5
0x000143e0 <m+140>: ld [ %fp + -28 ], %g1
0x000143e4 <m+144>: add %g1, 0x60, %g1
0x000143e8 <m+148>: stb %g1, [ %o5 ]
0x000143ec <m+152>: ld [ %fp + -28 ], %g1
0x000143f0 <m+156>: inc %g1
0x000143f4 <m+160>: st %g1, [ %fp + -28 ]
0x000143f8 <m+164>: b 0x143b8 <m+100>
0x000143fc <m+168>: nop
0x00014400 <m+172>: ldub [ %fp + -17 ], %g1
0x00014404 <m+176>: sll %g1, 0x18, %g1
0x00014408 <m+180>: sra %g1, 0x18, %o5
0x0001440c <m+184>: ld [ %fp + 0x44 ], %g1
0x00014410 <m+188>: mov %g1, %o0
0x00014414 <m+192>: mov %o5, %o1
0x00014418 <m+196>: call 0x2727c <.rem@plt>
0x0001441c <m+200>: nop
0x00014420 <m+204>: mov %o0, %g1
0x00014424 <m+208>: st %g1, [ %fp + 0x44 ]
0x00014428 <m+212>: ldub [ %fp + 0x48 ], %g1
0x0001442c <m+216>: sll %g1, 0x18, %g1
0x00014430 <m+220>: sra %g1, 0x18, %g1
0x00014434 <m+224>: cmp %g1, 0x2d
0x00014438 <m+228>: be 0x1449c <m+328>
0x0001443c <m+232>: nop
0x00014440 <m+236>: ldub [ %fp + 0x48 ], %g1
0x00014444 <m+240>: sll %g1, 0x18, %g1
0x00014448 <m+244>: sra %g1, 0x18, %g1
0x0001444c <m+248>: cmp %g1, 0x60
0x00014450 <m+252>: bg 0x14464 <m+272>
0x00014454 <m+256>: nop
0x00014458 <m+260>: clr [ %fp + -24 ]
0x0001445c <m+264>: b 0x1449c <m+328>
0x00014460 <m+268>: nop
0x00014464 <m+272>: ldub [ %fp + 0x48 ], %g1
0x00014468 <m+276>: sll %g1, 0x18, %g1
0x0001446c <m+280>: sra %g1, 0x18, %g1
0x00014470 <m+284>: cmp %g1, 0x7a
0x00014474 <m+288>: ble 0x14488 <m+308>
0x00014478 <m+292>: nop
0x0001447c <m+296>: clr [ %fp + -24 ]
0x00014480 <m+300>: b 0x1449c <m+328>
0x00014484 <m+304>: nop
0x00014488 <m+308>: ldub [ %fp + 0x48 ], %g1
0x0001448c <m+312>: sll %g1, 0x18, %g1
0x00014490 <m+316>: sra %g1, 0x18, %g1
0x00014494 <m+320>: add %g1, -96, %g1
0x00014498 <m+324>: st %g1, [ %fp + -24 ]
0x0001449c <m+328>: clr [ %fp + -28 ]
0x000144a0 <m+332>: ldub [ %fp + -17 ], %g1
0x000144a4 <m+336>: sll %g1, 0x18, %g1
0x000144a8 <m+340>: sra %g1, 0x18, %o5
0x000144ac <m+344>: ld [ %fp + -28 ], %g1
0x000144b0 <m+348>: cmp %o5, %g1
0x000144b4 <m+352>: ble 0x14568 <m+532>
0x000144b8 <m+356>: nop
0x000144bc <m+360>: ld [ %fp + 0x44 ], %g1
0x000144c0 <m+364>: sll %g1, 3, %l0
0x000144c4 <m+368>: ld [ %fp + -28 ], %o0
0x000144c8 <m+372>: ld [ %fp + -28 ], %o1
0x000144cc <m+376>: call 0x272ac <.umul@plt>
0x000144d0 <m+380>: nop
0x000144d4 <m+384>: mov %o0, %g1
0x000144d8 <m+388>: add %l0, %g1, %g1
0x000144dc <m+392>: add %g1, 8, %o5
0x000144e0 <m+396>: ldub [ %fp + -17 ], %g1
0x000144e4 <m+400>: sll %g1, 0x18, %g1
0x000144e8 <m+404>: sra %g1, 0x18, %g1
0x000144ec <m+408>: mov %o5, %o0
0x000144f0 <m+412>: mov %g1, %o1
0x000144f4 <m+416>: call 0x2727c <.rem@plt>
0x000144f8 <m+420>: nop
0x000144fc <m+424>: mov %o0, %g1
0x00014500 <m+428>: st %g1, [ %fp + -32 ]
0x00014504 <m+432>: ld [ %fp + -32 ], %g1
0x00014508 <m+436>: ld [ %fp + -44 ], %o5
0x0001450c <m+440>: add %o5, %g1, %g1
0x00014510 <m+444>: ldub [ %g1 ], %g1
0x00014514 <m+448>: sll %g1, 0x18, %g1
0x00014518 <m+452>: sra %g1, 0x18, %g1
0x0001451c <m+456>: st %g1, [ %fp + -36 ]
0x00014520 <m+460>: ld [ %fp + -32 ], %g1
0x00014524 <m+464>: ld [ %fp + -44 ], %o4
0x00014528 <m+468>: add %o4, %g1, %o5
0x0001452c <m+472>: ld [ %fp + -28 ], %g1
0x00014530 <m+476>: ld [ %fp + -44 ], %o4
0x00014534 <m+480>: add %o4, %g1, %g1
0x00014538 <m+484>: ldub [ %g1 ], %g1
0x0001453c <m+488>: stb %g1, [ %o5 ]
0x00014540 <m+492>: ld [ %fp + -28 ], %g1
0x00014544 <m+496>: ld [ %fp + -44 ], %o4
0x00014548 <m+500>: add %o4, %g1, %o5
0x0001454c <m+504>: ld [ %fp + -36 ], %g1
0x00014550 <m+508>: stb %g1, [ %o5 ]
0x00014554 <m+512>: ld [ %fp + -28 ], %g1
0x00014558 <m+516>: inc %g1
0x0001455c <m+520>: st %g1, [ %fp + -28 ]
0x00014560 <m+524>: b 0x144a0 <m+332>
0x00014564 <m+528>: nop
0x00014568 <m+532>: ld [ %fp + -24 ], %g1
0x0001456c <m+536>: ld [ %fp + -44 ], %o5
0x00014570 <m+540>: add %o5, %g1, %g1
0x00014574 <m+544>: ldub [ %g1 ], %g1
0x00014578 <m+548>: sll %g1, 0x18, %g1
0x0001457c <m+552>: sra %g1, 0x18, %g1
0x00014580 <m+556>: ld [ %fp + -40 ], %sp
0x00014584 <m+560>: mov %g1, %i0
0x00014588 <m+564>: ret
0x0001458c <m+568>: restore
答案 0 :(得分:1)
看看反汇编:
gdb ./prog
b FUNCTION_NAME_HERE
r
disassemble
修改
反汇编看起来像SPARC。 您可能需要先查看SPARC体系结构的堆栈布局:
http://www.sics.se/~psm/sparcstack.html
%fp听起来像是framepointer。使用%fp的加载指令不多。我猜是
0x000143d4 <m+128>: ld [ %fp + -28 ], %g1
0x000143d8 <m+132>: ld [ %fp + -44 ], %o4
是函数的参数。