1214: f3 0f 1e fa endbr64
1218: 55 push %rbp
1219: 48 89 e5 mov %rsp,%rbp
121c: b8 00 00 00 00 mov $0x0,%eax
1221: e8 43 ff ff ff callq 1169
1226: 90 nop
1227: 5d pop %rbp
1228: c3 retq
1229: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
逆向-attack之数组越界
#include
#include
void world()
{
int i = 0;
int a[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10};
for (i = 0; i <= 10; i++) {
a[i] = 0;
printf("Hello World.\n");
}
}
void main()
{
world();
}
#if 0
/*
* intel
*/
0000000000001169
1169: f3 0f 1e fa endbr64
116d: 55 push %rbp
116e: 48 89 e5 mov %rsp,%rbp
1171: 48 83 ec 40 sub $0x40,%rsp
1175: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax
117c: 00 00
117e: 48 89 45 f8 mov %rax,-0x8(%rbp)
1182: 31 c0 xor %eax,%eax // eax=0
1184: c7 45 cc 00 00 00 00 movl $0x0,-0x34(%rbp) // i=0
118b: c7 45 d0 01 00 00 00 movl $0x1,-0x30(%rbp) // a[0]=1
1192: c7 45 d4 02 00 00 00 movl $0x2,-0x2c(%rbp) // a[1]=2
1199: c7 45 d8 03 00 00 00 movl $0x3,-0x28(%rbp) // a[2]=3
11a0: c7 45 dc 04 00 00 00 movl $0x4,-0x24(%rbp) // a[3]=4
11a7: c7 45 e0 05 00 00 00 movl $0x5,-0x20(%rbp) // a[4]=5
11ae: c7 45 e4 06 00 00 00 movl $0x6,-0x1c(%rbp) // a[5]=6
11b5: c7 45 e8 07 00 00 00 movl $0x7,-0x18(%rbp) // a[6]=7
11bc: c7 45 ec 08 00 00 00 movl $0x8,-0x14(%rbp) // a[7]=8
11c3: c7 45 f0 09 00 00 00 movl $0x9,-0x10(%rbp) // a[8]=9
11ca: c7 45 f4 0a 00 00 00 movl $0xa,-0xc(%rbp) // a[9]=10
11d1: c7 45 cc 00 00 00 00 movl $0x0,-0x34(%rbp) // i=0
11d8: eb 1d jmp 11f7
11da: 8b 45 cc mov -0x34(%rbp),%eax // eax=i
11dd: 48 98 cltq // eax=i
11df: c7 44 85 d0 00 00 00 movl $0x0,-0x30(%rbp,%rax,4) // (rbp+i*4)-0x30=a[i]=0
11e6: 00
11e7: 48 8d 3d 16 0e 00 00 lea 0xe16(%rip),%rdi # 2004 <_IO_stdin_used+0x4> rdi="Hello World."
11ee: e8 6d fe ff ff callq 1060
11f3: 83 45 cc 01 addl $0x1,-0x34(%rbp) // i++
11f7: 83 7d cc 0a cmpl $0xa,-0x34(%rbp) // i - 0xa ?= 0, [ CF PF AF SF IF ]
11fb: 7e dd jle 11da
11fd: 90 nop
11fe: 48 8b 45 f8 mov -0x8(%rbp),%rax
1202: 64 48 33 04 25 28 00 xor %fs:0x28,%rax
1209: 00 00
120b: 74 05 je 1212
120d: e8 5e fe ff ff callq 1070 <__stack_chk_fail@plt>
1212: c9 leaveq
1213: c3 retq
0000000000001214
1214: f3 0f 1e fa endbr64
1218: 55 push %rbp
1219: 48 89 e5 mov %rsp,%rbp
121c: b8 00 00 00 00 mov $0x0,%eax
1221: e8 43 ff ff ff callq 1169
1226: 90 nop
1227: 5d pop %rbp
1228: c3 retq
1229: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
/*
* arm
*/
000000000040055c
40055c: a9bc7bfd stp x29, x30, [sp, #-64]!
400560: 910003fd mov x29, sp
400564: b9003fbf str wzr, [x29, #60] // i=0
400568: 90000000 adrp x0, 400000 <_init-0x3e8>
40056c: 911ac001 add x1, x0, #0x6b0 // x1=0x406b0={1-10}
400570: 910043a0 add x0, x29, #0x10 // x0=x29+0x10
400574: a9400c22 ldp x2, x3, [x1] // 1, 2, 3, 4
400578: a9000c02 stp x2, x3, [x0] // 0x10 0x14 0x18 0x1c
40057c: a9410c22 ldp x2, x3, [x1, #16] // 5, 6, 7, 8
400580: a9010c02 stp x2, x3, [x0, #16] // 0x10+0x10=0x20 0x24 0x28 0x2c
400584: f9401021 ldr x1, [x1, #32] // 9, 10
400588: f9001001 str x1, [x0, #32] // 0x10+0x20=0x30 0x34
40058c: b9003fbf str wzr, [x29, #60] // i=0
400590: 1400000b b 4005bc
400594: b9803fa0 ldrsw x0, [x29, #60] // x0=i
400598: d37ef400 lsl x0, x0, #2 // x0=i<<2
40059c: 910043a1 add x1, x29, #0x10 // x1=x29+0x10
4005a0: b820683f str wzr, [x1, x0] // x29+0x10+i<<2=0
4005a4: 90000000 adrp x0, 400000 <_init-0x3e8>
4005a8: 911a8000 add x0, x0, #0x6a0 // 0x4006a0="Hello World."
4005ac: 97ffffa9 bl 400450
4005b0: b9403fa0 ldr w0, [x29, #60] // w0=i
4005b4: 11000400 add w0, w0, #0x1 // i++
4005b8: b9003fa0 str w0, [x29, #60] // save i
4005bc: b9403fa0 ldr w0, [x29, #60] // w0=i
4005c0: 7100281f cmp w0, #0xa // i-0xa
4005c4: 54fffe8d b.le 400594
4005c8: d503201f nop
4005cc: a8c47bfd ldp x29, x30, [sp], #64
4005d0: d65f03c0 ret
00000000004005d4
4005d4: a9bf7bfd stp x29, x30, [sp, #-16]!
4005d8: 910003fd mov x29, sp
4005dc: 97ffffe0 bl 40055c
4005e0: d503201f nop
4005e4: a8c17bfd ldp x29, x30, [sp], #16
4005e8: d65f03c0 ret
4005ec: 00000000 .inst 0x00000000 ; undefined
#endif