ESP - 4 return-address 0 0 C 4 d 8 E 12 @ 1 16 @ 2 ------------
EIP indicates the current command location when the function is called. When the function returns, we need to pop this eip and continue executing the next command of EIP.ESP indicates the starting position of the variable space of the current function when the function is called, that is, the caller's esp. When the functi
point where it is called-compile the *///template code after the call, and tell the compiler that it starts the generic programming//typename tells the compiler that the type name is T compiler you see type T don't mess up the error .... T is type, type is parameterized just templateThe g++-s 1.cpp generates 1.SAnalysis 1.s. File "1.cpp". Lcomm __zstl8__ioinit, 1, 1.def ___main;. SCL 2;. Type 32;. Endef.section.rdata, "Dr" Lc2:.ascii "hello....\0" LC3:. ASCII "Pause\0". Text. Globl _main. def _
;
uint32_t tf_eflags; /* below here is crossing rings, such as from user to kernel, defined by hardware///only if the privilege level change occurs, the additional information here is guaranteed by the hardware pressure stack
Save uintptr_t Tf_esp; uint16_t Tf_ss;
uint16_t Tf_padding5;
} struct Context {uint32_t eip;
uint32_t esp;
uint32_t ebx;
uint32_t ecx;
uint32_t edx;
uint32_t ESI;
uint32_t EDI;
uint32_t EBP; }
4 bytes are filled with EBP, the last 4 bytes are filled with the RET address, so it is supposed that the EIP here should be 0x65656565, then why is this 0x61616161, just the value of AAAA?According to the results of single step debugging, it is found that the EIP becomes 0x61616161 after the main function exits, and the EIP becomes 0x65656565 when the overflow exits.Why does overflow return to the main function after exiting? Possible cause: The input string does not overwrite the RET address,
will break down the BPX shell_policyicona breakpoint and use F12 to check if the software is called and the parameters are used!
First come to the following:
Here is where the software is called at startup:
* Possible reference to string resource id = 00114: "CCProxy"|: 00408770 6a72 push 00000072: 00408772 51 push ECx: 00408773 c681_f0000000005 mov byte PTR [esp + 000024f4], 05: 0040877b e8c0890100 call 00421140: 00408780 83c408 add
instruction and the program3. Put the written program and data into memory and start the computer work.The CPU work process can be broadly divided into three steps: Take the instruction, analyze the instruction and execute the instruction. Where the staging of both the instruction data and the address occurs in the register. The main object of assembly language is register. The register of the CPU is mainly divided into general register, control register and segment register three kinds. The In
]} Access to the address in the topic, you can get a file, open after The file header is a lpck, do not know what format, but after seeing the MZ head. Delete all the parts before the MZ head, and successfully get an EXE. Requires input password. No way, just throw it into Ida ... find the key sections below: . text:00401363 mov [esp+5ch+var_5c], offset apassword; "Password:" . text:0040136a Call puts . text:0040136f Lea EAX, [
and other hardware. How to drive these hardware is done by software.
Programming is done on the basis of the operating system through the operation of the Code and then compiled by the compiler to execute.
In Linux we have a disassembly to test how C code is converted into assembly code.
We do this on the lab floor, the C code is a simple three function (a main function and two called functions):
Disassembly with GCC under Linux:
Gcc-s-O main.s main.c-m32
You can get the assembly-level code f
network security. Because VLANs can isolate broadcast, different VLANs cannot communicate with each other, so they have a certain degree of security.
5. Port isolation
With the port isolation feature, you can add the ports to be controlled to an isolation group to isolate ports in the isolation group from Layer 2 and Layer 3 data, enhancing network security, it also provides users with flexible networking solutions. Currently, only one isolation group can be set up for one device. The number of
causes some data on the stack to be overwritten. This results in a buffer overflow crisis:int getbuf(){ char buf[12]; Gets(buf); return1;}2.2 Buffer Stack AnalysisBefore you start a real "attack". Let's start by analyzing what the stack looks like when Bufbomb calls Getbuf ().Only a comprehensive understanding of the stack structure. We were able to "attack" it at our own pace at the back of the experiment.First, through the Objdump disassembly Getbuf () function:[Email protected] bufb
We all know that local variables are stored in the stack during the C language operation, and the space is allocated from high to low.
However, recently I encountered a program that made me a little confused.
First look at a program.
Obviously, addresses are allocated from high to low, just as expected.
Modify it a little and then run it.
Obviously, from low to high !!!
Clarify the problem: the stack should change the memory allocation mode for the memory occupied by local variables.
Why? W
Prior Knowledge
Static variables are stored in static storage, local variables are stored in dynamic storage (stacks), code is stored in code area
Register, EBP points to the bottom, esp points to the top of the stack, the EIP points to the next instruction that is executing the instruction, three registers are stored in the address, 32-bit system, the address is 4 bytes is a DWORD
All statements written in the function definition are
switching the most important is the broker's storehouses Switch and EIP (that is, program counters) the correct jump, mymain.c in the function My_start_kernel is the first code to execute, so from this function to start analysis. The My_start_kernel function first established 4 processes and initialization, such as the allocation stack, note that at the time of the first set up only No. 0 process status is runuable, the rest are unrunnable. There is the PCB structure of the THREAP.SP, each proc
# The lower half of the interrupt.Common_interrupt:Addl $-0x80, (% esp)/* Adjust vector into the [-256,-1] range */# Adjust the interrupt number to 0 ~ The value range is 255.SAVE_ALLTRACE_IRQS_OFFMovl % esp, % eaxCall do_IRQ # process the Interrupt Routine.Jmp ret_from_intrENDPROC (common_interrupt)
Unsigned int _ irq_entry do_IRQ (struct pt_regs * regs){Struct pt_regs * old_regs = set_irq_regs (regs );
/*
obvious. First, you must write code for every API function that you are interested in. Second, you cannot HOOK all the API functions, due to the lack of complete API call sequence for reference, some small actions may be missed during log analysis.Another idea is to use the debugging technology to set breakpoints in advance at the entrances of all introduced DLL functions, and obtain parameters through stack information during debugging. Both IDA pro and OllyDbg can be used for dynamic debuggin
% instead of D.36 call _ Test37. Push eax; assume that the address of push eax is XXX.38 push offset sztextfmt39 call printf40 add ESP, 841 RET42_main endp43end _ main4445; /**///////////////////////////////////// //// // The stack changes are described below46
The first thing to understand is that the operation of the stack segment SS can only use ESP or EBP registers, other registers eax ebx edx and so o
Document directory
1. Function Parameters
3. Reference
This article is based on Win32 compilation.1. Function Parameters
The growth direction of function stack is opposite to that of address, from high address to low address. ESP points to the top of the function stack, and EBP points to the bottom of the function stack.
Sub esp xxx pushes memory blocks of XXX length into the stack
Add
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.