0

c代码是这样的,

void foo (char *x){
    int buf[1];
    strcpy((char *) buf, x);
}

void callfoo() {
    foo("abcdefghi");
}

并且汇编代码 foo 的一部分是

leal 0xfffffffc(%ebp), %eax
pushl %eax
call 80483c4 <strcpy>
movl %ebp, %esp
popl %ebp
ret

我希望 strcpy 得到 %eax 用 buf 填充,所以它填充到 %ebp-4、%ebp、%ebp+4(old %ebp) %ebp+8(foo 的返回地址).... . 我的攻击字符串是“abcdefghi”

缓冲区将被填满的情况下,

%ebp-0x4 = 64636261
%ebp = 68676665
%ebp+0x4 = 08040069

但是解决方案说它会填满 %ebp ~ %ebp+0x8。我误解了堆栈结构?

解决方案说,

B. Immediately before the ret instruction at address of foo, what is the value of the frame pointer register %ebp?

%ebp = 0x68676665

C. Immediately after the ret instruction of foo, what is the value of the program counter register %eip?

%eip = %ebp+8(it is changed by strcpy)
4

1 回答 1

0

我误解了推送指令。

推送指令是

pushl %ebp


subl 0x4, %esp
movl %ebp, (%esp)

所以 strcpy 被填充到 %ebp ~ %ebp+0x8

于 2012-10-19T06:37:34.907 回答