based on the operand size to generate assembly code. At the Assembly language level, this set of General registers is referenced with % e (ATT syntax) or directly starting with e (Intel syntax), such as mov $5, % eax or mov eax, 5: Assign the value of "Number 5" to register % eax. In x86 processors, the EIP (Instruction Pointer) is the Instruction register pointing to the Instruction address (offset in the code segment) waiting for execution under the processor ), the EIP value of each Assembly
Address: http://www.cppblog.com/liu1061/articles/53762.html
If you are on a Linux platform, you can use GDB for disassembly and debugging. (Transfer)
2. The simplest CCodeAnalysis
To simplify the problem, analyze the compilation code generated by the simplest C code:# Vi test1.cInt main (){Return 0;}CompileProgramTo generate binary files:# GCC test1.c-O test1# File test1Test1: Elf 32-bit LSB executable 80386 version 1, dynamically linked, not stripped
Test1 is an executable file in the EL
point where it is called-compile the *///template code after the call, and tell the compiler that it starts the generic programming//typename tells the compiler that the type name is T compiler you see type T don't mess up the error .... T is type, type is parameterized just templateThe g++-s 1.cpp generates 1.SAnalysis 1.s. File "1.cpp". Lcomm __zstl8__ioinit, 1, 1.def ___main;. SCL 2;. Type 32;. Endef.section.rdata, "Dr" Lc2:.ascii "hello....\0" LC3:. ASCII "Pause\0". Text. Globl _main. def _
Next we will take the release version as an example to illustrate the anatomy.
The key code for the EXE disassembly is as follows:
Function showcomputername:00401030: 8B 4C 24 04 mov ECx, dword ptr [esp + 4]
00401034: 83 EC 0C sub ESP, 0ch
00401037: 8d 44 24 00 Lea eax, [esp]
0040103b: 50 push eax
0040103c: 51 push ECx
0040103d: E8 be FF call 00401000
00401042: 8
to get es0 and esp0 from the TSS. After entering the RING0 (interrupt handler), we need to save the state information of process A to the PCB (Process Control block), so we point the TSS esp0 to the process table before the interrupt handler occurs. So in the restart function, we see:
Restart:
mov ESP, [P_proc_ready] ; Assigns the first address of the process table to ESP
Lldt [
and other hardware. How to drive these hardware is done by software.
Programming is done on the basis of the operating system through the operation of the Code and then compiled by the compiler to execute.
In Linux we have a disassembly to test how C code is converted into assembly code.
We do this on the lab floor, the C code is a simple three function (a main function and two called functions):
Disassembly with GCC under Linux:
Gcc-s-O main.s main.c-m32
You can get the assembly-level code f
debugger has captured corrupted data and paused the application. If you look at the EIP (Extended Instruction Pointer) register, you will see the fuzzer buffer sending overwrite register within 41 seconds, and the fuzzer buffer will also flood into ESP (Extended Stack pointer) register (00AEFC2C ). Our primary goal is to control the EIP register again through the instruction code executed by the CPU and set it to our selected value.
Vulnerability Mi
Because the "stack" is used from high to low, the newly pushed data has a lower position.
The pointer in ESP will always point to this new location, so the address data in ESP is dynamic.
Push each time, esp = ESP-X; pop each time, esp =
(make sure your application being built in debug mode or your results will be different). 11 doesn't work so we keep increasing it. 18 finally causes a crash. This crash isn't anything special yet. We've just totally screwed up the stack and it shows. Lets add six more a's, for a total of 24. Run the program and watch the dialog popup explaining to us that instruction at 0x61616161 had referenced memory at 0x61616161. You do know that the hex value for the ascii character a is 0x61 right? If you
incoming domain name has a maximum length limit of 0x40 bytes. Therefore, the shellcode length of each segment is 0 x 3f (63) bytes. After covering 532 bytes, it overwrites the return address of the function. This vulnerability is characterized by the second processing of incoming domain names in the stack, resulting in the second half of the shellcode before the returned address in the stack being completely invisible. There are two methods to execute shellcode:
First, the address of our entir
disassembly instructions, because the virtual machine provided by the lab is 64 bits, so add this parameter. I experimented, and if I don't add this parameter, the resulting instruction will be doped with 64-bit instructions. such as Movq and Pushq.The generated assembly code is as follows (the code has omitted some of the markers to facilitate analysis):1. file"main.c"2 g:3 PUSHL%EBP4 movl%esp,%EBP5Movl8(%EBP),%eax6Addl $3,%eax7 popl%EBP8 ret9 F
switching the most important is the broker's storehouses Switch and EIP (that is, program counters) the correct jump, mymain.c in the function My_start_kernel is the first code to execute, so from this function to start analysis. The My_start_kernel function first established 4 processes and initialization, such as the allocation stack, note that at the time of the first set up only No. 0 process status is runuable, the rest are unrunnable. There is the PCB structure of the THREAP.SP, each proc
example, we need to add-m32 on the x64 machine to enable GCC to generate 32-bit assembly source files.2. Processing source filesAfter executing the above command, there will be a main.s file in the current directory, using VIM to open, unwanted link information [with "." Line] to get the following assembly code:1 ExG:2Pushl%EBP3MOVL%esp,%EBP4Movl8(%EBP),%eax5Addl $5, %eax6Popl%EBP7 ret8 ExF:9Pushl%EBPTenMOVL%esp
master Modes) changes in the negotiation results.
Note:The IPSec NAT-T is defined only for ESP traffic.Content on this page
Problems related to using IPsec through NATOverview of NAT-T changes to IPSecAn IPsec NAT-T solution to an IPsec problem using NATIke negotiation example of active mode and fast mode SA using IPsec NAT-TMore informationProblems related to using IPsec through NAT
Problems related to using IPsec through NAT are as follows:
Nat c
seh exception chain, and so on.How fiber works
In fact, no matter which method, we only need to understand that if fiber is working, then we can implement our own fiber (of course, we need to consider other CPU-related situations ).
Similar to a thread, fiber has a stack to save the status required for the current call. Therefore, we need to create a stack for fiber first. Secondly, each fiber must need an entry function (just like a thread). During the switchover, you must enter this entry and
(anti-replay): IPSec receivers can detect and refuse to receive outdated or duplicated messages.IPSec has the following advantages:L Support IKE (Internet Key exchange, Internet Keys Exchange), can realize the auto-negotiation function of key, reduce the cost of key negotiation. The services of SA can be established and maintained through IKE, simplifying the use and management of IPSec.All applications and services that use the IP protocol for data transfer can use IPSec without having to make
is as follows: First in SoftICE the next breakpoint: Bpx ntdll! Kiuserexceptiondispatcher, this command means that the program runs to the Ntdll.dll in the Kiuserexceptiondispatcher to stop, to softice for processing. Kiuserexceptiondispatcher This function is a very important step in the process of Windows exception handling, it is responsible for distributing all the exceptions that occur in the user's layer space to the exception handling function in the chain, which is called whenever an ex
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.