Learn about esp 3250, we have the largest and most updated esp 3250 information on alibabacloud.com
1. Call and return of C functionsTo understand the implementation of the C + + exception mechanism, first understand the call and return mechanism of a function, which involves the ESP and EBP registers. Let's take a look at the function call and the return process.The following is the call convention __stdcall calling function test (intP1,intp2) Assembly code assumes that the function is executed before the stack pointer
represents the current EIP execution position) 1. At the beginning, the EIP points to 19 lines, EBP ESP is in 0 position (01234 on the right is set for convenient analysis) 2.PUSHL%ebp, the EBP value stack 3.movl%esp,%ebp, Assign ESP value to EBP 4.subl $4,%esp, move esp
shelling methods:Method 1: single-step trackingMethod 2: shelling the ESP LawMethod 3: Memory trackingMethod 4: Tracing exit MethodMethod 5: last exception MethodMethod 6: loose shell Removal The specific operations of the above methods will be given at the bottom of the article at the end. If you want to know more about it, you can check it out. You can save time.========================================================== ============================
nebbett. ; Call from 004012ce: 00402970 55 push EBP: 00402971 8bec mov EBP, ESP: 00402973 81ec10020000 sub ESP, 00000210: 00402979 56 push ESI: 0040297a 8b35a8404000 mov ESI, dword ptr [004040a8]; ESI = kernel32.getmodulefilenamea: 00402980 8d85f4feffff Lea eax, dword ptr [EBP + fffffef4]: 00402986 6804010000 push 00000104: 0040298b 50 push eax: 0040298c 6a00 push 00000000: 0040298e ffd6 call ESI; kernel32
There has always been a vague concept, so we use an example to strengthen memory. Linux x86 gcc3.2.3 att format Compilation The Code is as follows: Void Fun () { Int A = 'a '; } Void Main () { Int B; Fun (); Return; } Start debugging [Sanool @ sanool ex2] $ gdb a. Out Gnu gdb Red Hat Linux (6.0post-0.20031117.6rh) Copyright 2003 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are Welcome to change it and/or distribute copies of it un
Obtain the dialog box data and determine the length: 004011b5 |. 6a 14 push 0x14;/COUNT = 14 (20 .) 004011b7 |. 51 push ECx; | buffer = 0018f8b8004011b8 |. 66: 894424 2D mov word PTR [esp + 0x2d], ax; | 004011bd |. 68 e8030000 push 0x3e8; | controlid = 3e8 (1000 .) 004011c2 |. 52 push edX; | hwnd004011c3 |. c64424 20 00 mov byte PTR [esp + 0x20], 0x0; | 004011c8 |. 884424 37 mov byte PTR [
Monensin "Linux kernel Analysis" first week experimentZou LeOriginal works reproduced please indicate the source.Course Information:"Linux kernel Analysis" MOOC course http://mooc.study.163.com/course/USTC-1000029000---------------------------the body of the experiment---------------------------This experiment is carried out under the 64-bit liinux virtual machine in the experimental building.The C code is as follows:int increment5 (int x) { return5;} int Solve (int x) { return2;} int Main (
/M00/7B/9E/wKiom1bNxYazixrUAACP9mxIzIM229.png "/>650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/7B/9C/wKioL1bNxfXDorDvAAEqN4WeZ-Y932.png "/>The following is an analysis of the stack register using GDB stepping:First we start with the main function. (The first two statements do not set breakpoints when GDB executes, but the statements that execute the function have these 2, which are put in other functions to illustrate):First set a breakpoint on the main function and run:650) this.wi
/M00/7C/6F/wKiom1bQNKixugoAAACP9mxIzIM364.png "/>650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/7C/6E/wKioL1bQNRqCMfu6AAEqN4WeZ-Y226.png "/>The following is an analysis of the stack register using GDB stepping:First we start with the main function. (The first two statements do not set breakpoints when GDB executes, but the statements that execute the function have these 2, which are put in other functions to illustrate):First set a breakpoint on the main function and run:650) this.wi
Hex @ Gentoo ~ /Signal $ kill-INT 4639 2.3 The program stops at the breakpoint after receiving the signal Breakpoint 1, sig_int (signo = 2) at sigint. c: 6 6 { (Gdb) I r esp Esp 0xbfffe7ec 0xbfffe7ec (Gdb) x/40a 0xbfffe7ec 0xbfffe7ec: 0xb7fff400 0x2 0x33 0x0 0xbfffe7fc: 0x7b 0x7b 0x8048930 0xbfffe80c: 0xbfffed58 0xbfffed40 0x0x0 0xbfffe81c: 0xbfffec18 0x0 0x0x0 0xbfffe82c: 0x8048336 0xbfffe83c: 0x7b 0xb
generate an assembly file using objdump, through the corresponding address, you can find out which function has a problem. As for the guessed code, you need to build a unit test based on the analysis situation or re-launch the code for testing. Specific process examples are as follows:Objectdump-d ##. so >##. oVim ##. o6 libTaps2.so + 0xa452d ./Minidump_stackwalk 7ee5c76f-afe2-f9bd-564dedb7-57d73e0c.dmp Thread 7 (crashed)0 linux-gate.so + 0x430Eip = 0xb78b4430
" command to break a breakpoint under the accept function and analyze the code to find the cause of the vulnerability as follows.. Text: 0041AA20 mov eax, [esp + arg_0]. Text: 0041AA24 mov eax, [eax + 18 h]. Text: 0041AA27 mov dword_4B0F7C, eax. Text: 0041AA2C cmp word ptr [eax + 98 h], 0. Text: 0041AA34 jz short loc_41AA56 // The condition is true.. Text: 0041AA56 mov edx, [eax + 4Ch] // "A" constructed data. Text: 0041AA59 push offset s_If-modified-
__stdcall __cdecl __fastcall vc6.0:int __stdcall/__cdecl/__fastcall Add (int x, int y){return x+y;}void Main (){Add (2,3);}1.__stdcall:1:int __stdcall Add (int x, int y)2: {00401020 Push EBP00401021 mov Ebp,esp00401023 Sub esp,40h00401026 push EBX00401027 push ESI00401028 Push EDI00401029 Lea edi,[ebp-40h]0040102C mov ecx,10h00401031 mov eax,0cccccccch00401036 Rep stos dword ptr [edi]3:return X+y;00401038 mov eax,dword ptr [ebp+8]0040103B
, ESI73D311B9 FF50 60 call dword ptr ds: [EAX + 60]; PreTranslateMessage (Message preprocessing)73D311BC 85C0 test eax, EAX73D311BE 75 0E jnz short MFC42.73D311CE73D311C0 57 push edi; message preprocessing returns FALSE73D311C1 FF15 ACB6DC73 call dword ptr ds: [73D311C7 57 PUSH EDI73D311C8 FF15 30B6DC73 call dword ptr ds: [;73D311CE 6A 01 PUSH 1; return TRUE73D311D0 58 POP EAX73D311D1 5F POP EDI73D311D2 5E POP ESI73D311D3 C3 RETN Tip:A. OD after the program is loaded, call up the MFC42.dll modul
*): decompile the code section of A. obj.Open the ursoft w32dasm tool (I use version 8.93)Select all files when opening the file, because the software mainly targets file formats such as PE, le, and NE. SoThe offset must be specified to decompile the OBJ file. Above attention! (Note: another way to obtain this information is to use dumpbin/section:. text ). That is, the file offset of the Code section.Therefore, in the prompt dialog box that opens the OBJ file, enter 00000355Start disassembly f
_ Stdcall and _ cdecl function calls are different, __stdcall _ cdecl Refer: Http://blog.csdn.net/hudashi/article/details/7820338 Http://shitou7630.blog.163.com/blog/static/32699536201342110155436/ Http://www.cnblogs.com/52yixin/archive/2011/06/29/2093634.html Http://blog.csdn.net/mniwc/article/details/7993361 Http://www.cnblogs.com/coderzh/archive/2008/12/01/1345053.html Http://blog.sina.com.cn/s/blog_6f6769b50100uhzz.html Https://msdn.microsoft.com/zh-cn/library/ms235286.aspx (Owed by: spring
Call Stack The concept of stack is explained in detail in the data structure. List some key points: 1. First in first out. 2. Data can always be stored or retrieved from the top of the stack. In the x86 processor, push the stack command. Pushing an item to the top of the stack will reduce the top pointer of the stack by four bytes. The stack top pointer is stored in register esp. Correspondingly, the register name is the abbreviation of s
. Even the punctuation on the keyboard can be added to the Testcode, which can be arranged in the order of the ASCII code table, so that more space is verified at once.look for an appropriate address to overwrite the original return addressWhat we need to do now is to determine what address the last four "X" in "jiangyejiangxxxx" should be. Here we cannot create an address out of thin air, but should be based on a legitimate address. Of course, we can find a lot of suitable address through the o
as bytes, words, double words, and Booleans, is 4 bytes in the stack, and data that is larger than 4 bytes occupies a 4-byte integer multiple in the stack.3) The two registers associated with the operation of the stack are the EBP register and the ESP register, and in this article you only need to interpret EBP and ESP as 2 pointers. The ESP register always poin
"Peace of Blessing + Original works reproduced please specify the source +" Linux kernel analysis "MOOC course http://mooc.study.163.com/course/USTC-1000029000 "first, the process of initializationThe operating system kernel boot entry function is void __init my_start_kernel (void);Here is a simple definition of the two CPU states of a process:struct Thread {unsigned long IP; Indicates an EIP directiveunsigned long sp;//represents ESP, stack top poin
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
