逆向-beginners之数组负值索引
#include
/*
* 数组的负数索引值完全不阻碍寻址。例如:array[-1]实际上表示数据array起始地址之前的存储空间!
*/
int main()
{
int random_value = 0x11223344;
unsigned char array[10];
int i;
unsigned char *fakearray = &array[-1];
for (i = 0; i < 10; i++)
array[i] = i;
printf("first element %d\n", fakearray[1]); // 0
printf("second element %d\n", fakearray[2]); // 1
printf("last element %d\n", fakearray[10]); // 9
printf("array[-1] = %02X, array[-2]=%02X, array[-3]=%02X, array[-4] = %02X\n",
array[-1], array[-2], array[-3], array[-4]); // 随机值
}
#if 0
/*
* intel
*/
0000000000001169
1169: f3 0f 1e fa endbr64
116d: 55 push %rbp
116e: 48 89 e5 mov %rsp,%rbp
1171: 48 83 ec 30 sub $0x30,%rsp
1175: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax
117c: 00 00
117e: 48 89 45 f8 mov %rax,-0x8(%rbp)
1182: 31 c0 xor %eax,%eax
1184: c7 45 dc 44 33 22 11 movl $0x11223344,-0x24(%rbp) // (rbp-0x24)=0x11223344 random_value
118b: 48 8d 45 ee lea -0x12(%rbp),%rax // rax=rbp-0x12 array
118f: 48 83 e8 01 sub $0x1,%rax // rax=rbp-0x12-0x1
1193: 48 89 45 e0 mov %rax,-0x20(%rbp) // (rbp-0x20)=rbp-0x12-0x1 fakearray
1197: c7 45 d8 00 00 00 00 movl $0x0,-0x28(%rbp) // x=0x0
119e: eb 12 jmp 11b2
11a0: 8b 45 d8 mov -0x28(%rbp),%eax // eax=x
11a3: 89 c2 mov %eax,%edx // edx=x
11a5: 8b 45 d8 mov -0x28(%rbp),%eax // eax=x
11a8: 48 98 cltq
11aa: 88 54 05 ee mov %dl,-0x12(%rbp,%rax,1) // (rbp+x*1-0x12)=x
11ae: 83 45 d8 01 addl $0x1,-0x28(%rbp) // x++
11b2: 83 7d d8 09 cmpl $0x9,-0x28(%rbp) // 0x9-x
11b6: 7e e8 jle 11a0
11b8: 48 8b 45 e0 mov -0x20(%rbp),%rax // rax=rbp-0x12-0x1
11bc: 48 83 c0 01 add $0x1,%rax // rax=rbp-0x12
11c0: 0f b6 00 movzbl (%rax),%eax // eax=(rax)
11c3: 0f b6 c0 movzbl %al,%eax // eax=al
11c6: 89 c6 mov %eax,%esi
11c8: 48 8d 3d 39 0e 00 00 lea 0xe39(%rip),%rdi # 2008 <_IO_stdin_used+0x8>
11cf: b8 00 00 00 00 mov $0x0,%eax
11d4: e8 97 fe ff ff callq 1070
11d9: 48 8b 45 e0 mov -0x20(%rbp),%rax // rax=rbp-0x12-0x1
11dd: 48 83 c0 02 add $0x2,%rax // rax=rbp-0x12+0x1
11e1: 0f b6 00 movzbl (%rax),%eax // eax=(rax)
11e4: 0f b6 c0 movzbl %al,%eax // eax=al
11e7: 89 c6 mov %eax,%esi
11e9: 48 8d 3d 2a 0e 00 00 lea 0xe2a(%rip),%rdi # 201a <_IO_stdin_used+0x1a>
11f0: b8 00 00 00 00 mov $0x0,%eax
11f5: e8 76 fe ff ff callq 1070
11fa: 48 8b 45 e0 mov -0x20(%rbp),%rax
11fe: 48 83 c0 0a add $0xa,%rax // rax=rbp-0x12+0xa
1202: 0f b6 00 movzbl (%rax),%eax
1205: 0f b6 c0 movzbl %al,%eax
1208: 89 c6 mov %eax,%esi
120a: 48 8d 3d 1c 0e 00 00 lea 0xe1c(%rip),%rdi # 202d <_IO_stdin_used+0x2d>
1211: b8 00 00 00 00 mov $0x0,%eax
1216: e8 55 fe ff ff callq 1070
121b: 0f b6 45 ea movzbl -0x16(%rbp),%eax
121f: 0f b6 f0 movzbl %al,%esi
1222: 0f b6 45 eb movzbl -0x15(%rbp),%eax
1226: 0f b6 c8 movzbl %al,%ecx
1229: 0f b6 45 ec movzbl -0x14(%rbp),%eax
122d: 0f b6 d0 movzbl %al,%edx
1230: 0f b6 45 ed movzbl -0x13(%rbp),%eax
1234: 0f b6 c0 movzbl %al,%eax
1237: 41 89 f0 mov %esi,%r8d
123a: 89 c6 mov %eax,%esi
123c: 48 8d 3d fd 0d 00 00 lea 0xdfd(%rip),%rdi # 2040 <_IO_stdin_used+0x40>
1243: b8 00 00 00 00 mov $0x0,%eax
1248: e8 23 fe ff ff callq 1070
124d: b8 00 00 00 00 mov $0x0,%eax
1252: 48 8b 4d f8 mov -0x8(%rbp),%rcx
1256: 64 48 33 0c 25 28 00 xor %fs:0x28,%rcx
125d: 00 00
125f: 74 05 je 1266
1261: e8 fa fd ff ff callq 1060 <__stack_chk_fail@plt>
1266: c9 leaveq
1267: c3 retq
1268: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1)
126f: 00
/*
* arm
*/
000000000040055c
40055c: a9bd7bfd stp x29, x30, [sp, #-48]!
400560: 910003fd mov x29, sp
400564: 52866880 mov w0, #0x3344 // #13124
400568: 72a22440 movk w0, #0x1122, lsl #16
40056c: b9002ba0 str w0, [x29, #40] // a=0x11223344
400570: 910043a0 add x0, x29, #0x10 // array=x29+0x10
400574: d1000400 sub x0, x0, #0x1 // x0=x29+0x10-0x1
400578: f90013a0 str x0, [x29, #32] // f=[x29+32]=x29+0x10-0x1
40057c: b9002fbf str wzr, [x29, #44] // [x29+44]=x=0
400580: 14000009 b 4005a4
400584: b9402fa0 ldr w0, [x29, #44] // x=[x29+44]
400588: 12001c02 and w2, w0, #0xff // x=x&0xff
40058c: b9802fa0 ldrsw x0, [x29, #44] // x0=[x29+44]
400590: 910043a1 add x1, x29, #0x10 // x1=x29+0x10
400594: 38206822 strb w2, [x1, x0] // [x1+x0]=[x29+0x10+x]=x
400598: b9402fa0 ldr w0, [x29, #44] // w0=x
40059c: 11000400 add w0, w0, #0x1 // x++
4005a0: b9002fa0 str w0, [x29, #44] // [x29+44]=x
4005a4: b9402fa0 ldr w0, [x29, #44] // w0=x
4005a8: 7100241f cmp w0, #0x9 // x-0x8
4005ac: 54fffecd b.le 400584
4005b0: f94013a0 ldr x0, [x29, #32] // x0=f=x29+0x10-0x1
4005b4: 91000400 add x0, x0, #0x1 // x0=x29+0x10
4005b8: 39400000 ldrb w0, [x0] // w0=[x29+0x10]
4005bc: 2a0003e1 mov w1, w0 // w1=w0
4005c0: 90000000 adrp x0, 400000 <_init-0x3e8>
4005c4: 911bc000 add x0, x0, #0x6f0 // "%d\n"
4005c8: 97ffffa2 bl 400450
4005cc: f94013a0 ldr x0, [x29, #32] // x0=x29+0x10-0x1
4005d0: 91000800 add x0, x0, #0x2 // x0=0x28+0x10+0x1
4005d4: 39400000 ldrb w0, [x0]
4005d8: 2a0003e1 mov w1, w0
4005dc: 90000000 adrp x0, 400000 <_init-0x3e8>
4005e0: 911c2000 add x0, x0, #0x708
4005e4: 97ffff9b bl 400450
4005e8: f94013a0 ldr x0, [x29, #32] // x0=x29+0x10-0x1
4005ec: 91002800 add x0, x0, #0xa // x0=0x28+0x10+0x9
4005f0: 39400000 ldrb w0, [x0]
4005f4: 2a0003e1 mov w1, w0
4005f8: 90000000 adrp x0, 400000 <_init-0x3e8>
4005fc: 911c8000 add x0, x0, #0x720
400600: 97ffff94 bl 400450
400604: 39403fa0 ldrb w0, [x29, #15]
400608: 2a0003e1 mov w1, w0
40060c: 39403ba0 ldrb w0, [x29, #14]
400610: 2a0003e2 mov w2, w0
400614: 394037a0 ldrb w0, [x29, #13]
400618: 2a0003e3 mov w3, w0
40061c: 394033a0 ldrb w0, [x29, #12]
400620: 2a0003e4 mov w4, w0
400624: 90000000 adrp x0, 400000 <_init-0x3e8>
400628: 911ce000 add x0, x0, #0x738
40062c: 97ffff89 bl 400450
400630: 52800000 mov w0, #0x0 // #0
400634: a8c37bfd ldp x29, x30, [sp], #48
400638: d65f03c0 ret
40063c: 00000000 .inst 0x00000000 ; undefined
#endif