linux汇编之——(7)反汇编存储及其他
1 数组越界
int main(void)
{
inta[1];
a[0] =2;
a[1] =3;
return1;
}
反汇编objdump
080483b4 <main>:
80483b4: 55 push %ebp
80483b5: 89 e5 mov %esp,%ebp
80483b7: 83 ec 10 sub $0x10,%esp
80483ba: c7 45 fc 02 00 00 00 movl $0x2,-0x4(%ebp)
80483c1: c7 45 00 03 00 00 00 movl $0x3,0x0(%ebp)
80483c8: b8 01 00 00 00 mov $0x1,%eax
80483cd: c9 leave
80483ce: c3 ret
80483cf: 90 nop
2 字符串常量存储
int main(void)
{
char s= "hello,world!";
return1;
}
反汇编objdump如下
080483b4 <main>:
80483b4: 55 push %ebp
80483b5: 89 e5 mov %esp,%ebp
80483b7: 83 ec 10 sub $0x10,%esp
80483ba: b8 90 84 04 08 mov $0x8048490,%eax
80483bf: 88 45 ff mov %al,-0x1(%ebp)
80483c2: b8 01 00 00 00 mov $0x1,%eax
80483c7: c9 leave
80483c8: c3 ret
……
0804848c <_IO_stdin_used>:
804848c: 01 00 add %eax,(%eax)
804848e: 02 00 add (%eax),%al
8048490: 68 65 6c 6c 6f push $0x6f6c6c65
8048495: 2c 77 sub $0x77,%al
8048497: 6f outsl %ds:(%esi),(%dx)
8048498: 72 6c jb 8048506<__FRAME_END__+0x66>
804849a: 64 21 00 and %eax,%fs:(%eax)
看代码可知,地址0x8048490到0x804849a就是”hello,world!”的存储
3 系统调用输出字符串
#include<sys/syscall.h>
//#include<linux/kernel.h>
//#include<linux/unistd.h>
#include<sys/types.h>
int main(void)
{
pid_tpid;
pid =syscall(4, 1, "hello,world!\n", 13);
//printf("%d",pid);
//sys_write(1, "hello,world!\n", 13);
//write(1, "hello,world!\n", 13);
return1;
}
其反汇编objdump如下
080483e4 <main>:
80483e4: 55 push %ebp
80483e5: 89 e5 mov %esp,%ebp
80483e7: 83 e4 f0 and $0xfffffff0,%esp
80483ea: 83 ec 20 sub $0x20,%esp
80483ed: c7 44 24 0c 0d 00 00 movl $0xd,0xc(%esp)
80483f4: 00
80483f5: c7 44 24 08 e0 84 04 movl $0x80484e0,0x8(%esp)
80483fc: 08
80483fd: c7 44 24 04 01 00 00 movl $0x1,0x4(%esp)
8048404: 00
8048405: c7 04 24 04 00 00 00 movl $0x4,(%esp)
804840c: e8 eb fe ff ff call 80482fc <syscall@plt>
8048411: 89 44 24 1c mov %eax,0x1c(%esp)
8048415: b8 01 00 00 00 mov $0x1,%eax
804841a: c9 leave
804841b: c3 ret
其中”movl$0xd,0xc(%esp)”是字符串大小参数13,为什么是13,不是12呢?因为还有一个换行符,所以传入字符串大小而不是字符串长度作参数,否则丢失换行符。
“movl $0x80484e0,0x8(%esp)”是传入字符串所在地址
080484dc <_IO_stdin_used>:
80484dc: 01 00 add %eax,(%eax)
80484de: 02 00 add (%eax),%al
80484e0: 68 65 6c 6c 6f push $0x6f6c6c65
80484e5: 2c 77 sub $0x77,%al
80484e7: 6f outsl %ds:(%esi),(%dx)
80484e8: 72 6c jb 8048556<__FRAME_END__+0x66>
80484ea: 64 21 0a and %ecx,%fs:(%edx)
“movl $0x1,0x4(%esp)”是把标准输出ID传入;”movl $0x4,(%esp)”调用的系统函数ID4;
“call 80482fc<syscall@plt>”
080482fc <syscall@plt>:
80482fc: ff 25 00 a0 04 08 jmp *0x804a000
8048302: 68 00 00 00 00 push $0x0
8048307: e9 e0 ff ff ff jmp 80482ec <_init+0x30>
4 指针
int main(void)
{
int *p= 0;
int a =sizeof(p);
returna;
}
其反汇编objdump如下:
080483b4 <main>:
80483b4: 55 push %ebp
80483b5: 89 e5 mov %esp,%ebp
80483b7: 83 ec 10 sub $0x10,%esp
80483ba: c7 45 fc 00 00 00 00 movl $0x0,-0x4(%ebp)
80483c1: c7 45 f8 04 00 00 00 movl $0x4,-0x8(%ebp)
80483c8: 8b 45 f8 mov -0x8(%ebp),%eax
80483cb: c9 leave
80483cc: c3 ret
由于最近正在研究linux嵌入式移植,所以后面再写关于内联汇编与ARM汇编的内容。