我正在做这个练习: http ://exploit-exercises.com/protostar/stack5
1#include <stdlib.h>
2#include <unistd.h>
3#include <stdio.h>
4#include <string.h>
5
6int main(int argc, char **argv)
7{
8 char buffer[64];
9
10 gets(buffer);
11}
我使用 gdb 来调试它:
(gdb) disassemble main
Dump of assembler code for function main:
0x080483c4 <main+0>: push %ebp
0x080483c5 <main+1>: mov %esp,%ebp
0x080483c7 <main+3>: and $0xfffffff0,%esp
0x080483ca <main+6>: sub $0x50,%esp
0x080483cd <main+9>: lea 0x10(%esp),%eax
0x080483d1 <main+13>: mov %eax,(%esp)
0x080483d4 <main+16>: call 0x80482e8 <gets@plt>
0x080483d9 <main+21>: leave
0x080483da <main+22>: ret
汇编程序转储结束。
(gdb) b main
Breakpoint 1 at 0x80483cd: file stack5/stack5.c, line 10.
(gdb) r
Starting program: /opt/protostar/bin/stack5
Breakpoint 1, main (argc=1, argv=0xbffff874) at stack5/stack5.c:10
10 stack5/stack5.c: No such file or directory.
in stack5/stack5.c
(gdb) i r
eax 0xbffff874 -1073743756
ecx 0x37ca089a 935987354
edx 0x1 1
ebx 0xb7fd7ff4 -1208123404
esp 0xbffff770 0xbffff770
ebp 0xbffff7c8 0xbffff7c8
esi 0x0 0
edi 0x0 0
eip 0x80483cd 0x80483cd <main+9>
eflags 0x200282 [ SF IF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
(gdb)
(gdb) x/x buffer
0xbffff7d8: 0xbffff87c
我发现缓冲区地址比$ebp大,它是一个局部变量,我看不懂。我认为它应该在$esp和$ebp之间。
(gdb) b *main+21
Breakpoint 2 at 0x80483d9: file stack5/stack5.c, line 11.
(gdb) c
Continuing.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Breakpoint 2, main (argc=1, argv=0xbffff874) at stack5/stack5.c:11
11 in stack5/stack5.c
(gdb) x/40x $esp
0xbffff770: 0xbffff780 0xb7ec6165 0xbffff788 0xb7eada75
0xbffff780: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff790: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff7a0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff7b0: 0x41414141 0x41414141 0x00414141 0xb7fd7ff4
0xbffff7c0: 0x080483f0 0x00000000 0xbffff848 0xb7eadc76
0xbffff7d0: 0x00000001 0xbffff874 0xbffff87c 0xb7fe1848
0xbffff7e0: 0xbffff830 0xffffffff 0xb7ffeff4 0x08048232
0xbffff7f0: 0x00000001 0xbffff830 0xb7ff0626 0xb7fffab0
0xbffff800: 0xb7fe1b28 0xb7fd7ff4 0x00000000 0x00000000
(gdb)
从上面,我认为缓冲区地址是0xbffff780,不像gdb printf:
(gdb) x/x buffer
0xbffff7d8: 0xbffff87c
所以,我无法理解。怎么了?