我正在学习集会并写下以下内容:
Section .text
global _start
_start:
jmp short GoToFilename
open:
pop esi ; esi gets address of the filename
xor eax, eax ; clear eax
mov [esi+13], al ; terminate file name(see # at the end of the first db)
mov dl, 0xa ; dl gets code of newline(\n)
mov byte [esi+15], dl ; place it between A and # (see 2nd db)
mov [esi+16], al ; place NULL for # (at the 2nd db) gets
lea edi, [esi+14] ; edi gets address of input text (here it should be only A as input)
mov [esi+17], edi ; place its address for XXXX
mov dx, 0x1b6 ; permissions
mov cl, 0x42 ; flags
mov ebx, esi ; address of file name
mov al, 0x5 ; syscall of open
int 0x80 ; go, lets do it
mov edi, eax ; put handle to file in edi
xor eax, eax ; clear because we will need it
write:
xor edx, edx
xor ecx, ecx
xor ebx, ebx
mov dl, 0x1 ; number of bytes to write = 1
lea ecx, [esi+17] ; ecx gets address of input text
mov ebx, edi ; put handle to file in edi
mov al, 0x4 ; syscall of write
int 0x80 ; go, lets do it
close:
mov ebx, edi ; handle to file
mov al, 0x6 ; syscall of open
int 0x80 ; go, lets do it
exit:
xor ebx, ebx ; clear ebx
mov al, 0x1 ; syscall of exit
int 0x80 ; go, lets do it
GoToFilename:
call open
db '/tmp/file.txt#'
db 'A #XXXX'
[为此,我使用jmp-call-pop-technique。那些知道什么是shellcodes的人会知道我的意思,但如果没有,那么它在这里就不那么重要了]
所以,当我让它运行时,然后创建文件,但是当我打开文件时,我得到了#在文件中写的符号,而不是字符'A'。
你知道我弄错了吗?我找不到它。我查看补偿,多次查看代码......但没有成功。
最好的问候,
答案 0 :(得分:1)
你错误地指的是[esi + 17]中存储的地址。更好用:
lea ecx, [esi+14] ; ecx gets address of input text
或者
mov ecx, [esi+17]