使用寄存器和表中的偏移量进行绝对调用
我在 NASM 中编写了以下程序,以便练习偏移、寻址、表格等。
t_addr:
dw rout1-@, rout2-@
@ equ $
_start:
mov esi, rout1
call esi
call _start_reloc
_start_reloc:
pop ebp
sub ebp, _start_reloc-@
xor eax, eax
add eax, 1
sal eax, 1
lea esi, [ebp+t_addr-@]
mov ax, word [esi+eax]
add eax, ebp
call eax
ret
rout1:
mov eax, 0
ret
rout2:
xor eax, eax
ret
尽管 _start 标签后的前两条指令按其应有的方式运行并将控制权转移到 rout1函数,当我尝试使用表中的偏移量访问 rout2 函数时,在 GDB 中,我会先查看 eax 的值call eax 指令并包含 rout2 的地址,当执行调用时,我遇到分段错误,并且 EIP 加载为 0x00000001。为什么???
ps:我用的是linux 32位。
I write the following program in NASM in order to practice offset, addressing, tables, etc.
t_addr:
dw rout1-@, rout2-@
@ equ $
_start:
mov esi, rout1
call esi
call _start_reloc
_start_reloc:
pop ebp
sub ebp, _start_reloc-@
xor eax, eax
add eax, 1
sal eax, 1
lea esi, [ebp+t_addr-@]
mov ax, word [esi+eax]
add eax, ebp
call eax
ret
rout1:
mov eax, 0
ret
rout2:
xor eax, eax
ret
Although the first two instructions after _start label run as they should and transfer control to rout1 function, when i try to access the rout2 function using the offset from the table, and while in the GDB i look the value of eax before the call eax instruction and contains the address of rout2 when performing the call i get segmentation fault and the EIP is loaded with 0x00000001. WHY???
p.s: i use linux 32-bit.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我看到的第一个问题是,当您输入 _start_reloc 时,您会弹出 ebp。当该函数结束并且您返回时,eip 会获取堆栈上的值。通常这将是 ebp,但由于您将其弹出,现在 eip 具有随机值。而不是 pop ebp 尝试使用 mov ebp,[esp] 或 pop ebp 然后推送 ebp
the first problem I see is that when you enter _start_reloc you pop ebp. when that function ends and you ret, eip gets the value that's on the stack. normally that would be ebp, but since you popped it out now eip has a random value. instead of pop ebp try with mov ebp,[esp] or pop ebp then push ebp