as the preceding type description.Then go back to the previous example, X is a two-dimensional array of definitions, p is an array pointer to an array of length 4, one to the first line of X (the line of x is an int array of length 4) and the next for loop, then the p+1 value, plus K (actually 1) and then the value, and add it to the variable N. The loop performs a total of 2 times, taking the first element (i.e. x[0][1],x[1][1]) of line 1th and line 2nd (corresponding to the first subscript 0
.
Mov a and B send the value of B to a, and regard it as a value assignment statement in programming, that is, B is assigned to a. Then the value of a is B.
Nop does not work, that is, nothing is done.
Retn retrieves the return address from the stack and jumps to the address for execution.
Here are some arithmetic operation commands:
ADD Addition
Sub Subtraction
Inc plus 1
Dec minus 1
Finally, the jump command:
Jmp unconditional jump
Je or jz jump if equal
Skip if not equal to jne or jnz
Skip if
To simplify the problem, analyze the compilation code generated by the simplest c code:# Vi test1.c
Int main (){Return 0;}
Compile the program to generate a binary file:# Gcc test1.c-o test1# File test1Test1: ELF 32-bit LSB executable 80386 Version 1, dynamically linked, not stripped
Test1 is an executable file in the ELF format of 32-bit Little Endian. It is dynamically linked and the symbol table is not removed.
This is a typical executable file format on the Unix/Linux platform.
With mdb dis
add eax,0x8; Pptr+2 003cc57c; In C language, the operation of pointers is 003cc57c based on pointer type; An int pointer plus 1 means that the address it points to is moved backward in length to a 003cc57c; The distance of the int size, which is 4 bytes. If it's a word type, move backwards by 2 bytes. 003cc57f Push eax003cc580 mov ecx,[local.7]003cc583 add ecx,0x4; Pptr+1 003cc586 push ecx003cc587 mov edx,[local.7]003cc58a push edx; pptr+0 003cc58b push 9-44.00420c6c; ASCII "%x%x%x\r\n" 0
We can encapsulate everything that a single task uses in a LDT, which is the embryonic form of multitasking.The types of segments used by multitasking are shown below, and the method of using LDT to isolate each application task is one of the key protection requirements:
Process schematic:
We need a data structure to record the state of a process, the process information is written to the data structure when the process is to be suspended, and the information is read again when the process resta
In C + +, when a class contains a virtual function, the class has polymorphism. An important function of the constructor is to initialize the vptr pointer, which is a critical step to ensure polymorphism.
Constructor initializes the vptr pointer
The following is the C + + Source:
Class X {
private:
int i;
Public:
X (int ii) {
i = II
}
virtual void set (int II) {//virtual function
i = II;
}
};
int main () {
x x (1);
}
The following is the corresponding main
based on the operand size to generate assembly code. At the Assembly language level, this set of General registers is referenced with % e (ATT syntax) or directly starting with e (Intel syntax), such as mov $5, % eax or mov eax, 5: Assign the value of "Number 5" to register % eax. In x86 processors, the EIP (Instruction Pointer) is the Instruction register pointing to the Instruction address (offset in the code segment) waiting for execution under the processor ), the EIP value of each Assembly
courseware has pointed out: sending a username that exceeds 480 bytes to the server can trigger the vulnerability (that is, using the command USER longString \ r \ n). After overflow, the content in ESP contains part of longString. Verification and analysis are required.2.2 analyze the stack structure of war-ftp v1.65, that is, the exact location of EIP, ESP, and ebp in the analysis stack.2.3 construct exp
point where it is called-compile the *///template code after the call, and tell the compiler that it starts the generic programming//typename tells the compiler that the type name is T compiler you see type T don't mess up the error .... T is type, type is parameterized just templateThe g++-s 1.cpp generates 1.SAnalysis 1.s. File "1.cpp". Lcomm __zstl8__ioinit, 1, 1.def ___main;. SCL 2;. Type 32;. Endef.section.rdata, "Dr" Lc2:.ascii "hello....\0" LC3:. ASCII "Pause\0". Text. Globl _main. def _
Address: http://www.cppblog.com/liu1061/articles/53762.html
If you are on a Linux platform, you can use GDB for disassembly and debugging. (Transfer)
2. The simplest CCodeAnalysis
To simplify the problem, analyze the compilation code generated by the simplest C code:# Vi test1.cInt main (){Return 0;}CompileProgramTo generate binary files:# GCC test1.c-O test1# File test1Test1: Elf 32-bit LSB executable 80386 version 1, dynamically linked, not stripped
Test1 is an executable file in the EL
Next we will take the release version as an example to illustrate the anatomy.
The key code for the EXE disassembly is as follows:
Function showcomputername:00401030: 8B 4C 24 04 mov ECx, dword ptr [esp + 4]
00401034: 83 EC 0C sub ESP, 0ch
00401037: 8d 44 24 00 Lea eax, [esp]
0040103b: 50 push eax
0040103c: 51 push ECx
0040103d: E8 be FF call 00401000
00401042: 8
to get es0 and esp0 from the TSS. After entering the RING0 (interrupt handler), we need to save the state information of process A to the PCB (Process Control block), so we point the TSS esp0 to the process table before the interrupt handler occurs. So in the restart function, we see:
Restart:
mov ESP, [P_proc_ready] ; Assigns the first address of the process table to ESP
Lldt [
and other hardware. How to drive these hardware is done by software.
Programming is done on the basis of the operating system through the operation of the Code and then compiled by the compiler to execute.
In Linux we have a disassembly to test how C code is converted into assembly code.
We do this on the lab floor, the C code is a simple three function (a main function and two called functions):
Disassembly with GCC under Linux:
Gcc-s-O main.s main.c-m32
You can get the assembly-level code f
debugger has captured corrupted data and paused the application. If you look at the EIP (Extended Instruction Pointer) register, you will see the fuzzer buffer sending overwrite register within 41 seconds, and the fuzzer buffer will also flood into ESP (Extended Stack pointer) register (00AEFC2C ). Our primary goal is to control the EIP register again through the instruction code executed by the CPU and set it to our selected value.
Vulnerability Mi
Because the "stack" is used from high to low, the newly pushed data has a lower position.
The pointer in ESP will always point to this new location, so the address data in ESP is dynamic.
Push each time, esp = ESP-X; pop each time, esp =
switching the most important is the broker's storehouses Switch and EIP (that is, program counters) the correct jump, mymain.c in the function My_start_kernel is the first code to execute, so from this function to start analysis. The My_start_kernel function first established 4 processes and initialization, such as the allocation stack, note that at the time of the first set up only No. 0 process status is runuable, the rest are unrunnable. There is the PCB structure of the THREAP.SP, each proc
(make sure your application being built in debug mode or your results will be different). 11 doesn't work so we keep increasing it. 18 finally causes a crash. This crash isn't anything special yet. We've just totally screwed up the stack and it shows. Lets add six more a's, for a total of 24. Run the program and watch the dialog popup explaining to us that instruction at 0x61616161 had referenced memory at 0x61616161. You do know that the hex value for the ascii character a is 0x61 right? If you
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.