当你在汇编中压入内存地址时会发生什么?
我正在尝试对反汇编的二进制文件进行逆向工程。我不明白它在进行调用时在做什么,例如:
push $0x804a254
更令人困惑的是,该地址不是指令的地址,也不在符号表中。它在做什么?
I am trying to reverse engineer a disassembled binary. I don't understand what it is doing when it makes a call such as:
push $0x804a254
What makes it even more confusing is that that address is not and address of an instruction nor is it in the symbol table. What is it doing?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
这是 3 种情况之一:它是一个常量(可以是哈希、数字、位标志或类型转换地址)、在任何范围静态分配的变量或缓冲区的地址(包括字符串文字)或错误分析的操作数(由于加密/垃圾处理)。它的真正含义与其使用相关(无论是调用参数还是设置 mem/reg 的间接方法)。
This is one of 3 cases: its either a constant(be it a hash, number, bitflags or a typecasted address), the address of a variable or buffer(this includes string literals) that is statically allocated at any scope or a missanalyzed operand(due to encryption/junking). Its true meaning is relative to its use(be it a call argument or and indirect method of setting a mem/reg).
您看到的值不在任何表中,也不在指令中,因为它是局部变量。 (局部变量不维护与符号表关联的任何名称,因为它们仅在您处于特定方法中时“活动”)该地址相当于类似的内容
为了正确释放内存,局部变量被分配在系统堆栈上记忆中的其他地方。它们在函数创建时被压入,在函数返回时被弹出,这就是您所看到的。
The value you see there is not in any table nor an instruction because it is a local variable. (Local variables to not maintain any name associated with a symbol table since they are only "alive" while you are in a specific method) The address is equivalent to something like
In order to properly free memory local variable are allocated on the system stack instead of somewhere else in memory. they are pushed when the function is created and popped off when the function returns, thats what you are seeing.
该指令只是将 32 位常量 (0x804a254) 压入堆栈。
仅凭该指令不足以让我们知道它后来如何使用。您能提供更多的代码反汇编吗?特别是我想看看这个值是在哪里弹出的,以及这个值后来是如何被使用的。
在开始任何逆向工程之前,我建议您阅读这本书(逆向工程秘密)然后是 X86 指令集手册(Intel 或 AMD)。我假设您正在对 x86 CPU 进行逆向工程。
That instruction simply pushes 32-bit constant (0x804a254) in the stack.
That instruction alone is not enough for us to tell how it is later used. Could you provide more dissasembly of the code? Especially I would like to see where this value is popped out, and how this value is later being used.
Before starting any reverse engineering I would recommend reading this book (Reverse Engineering secrets) and then X86 instruction set manual (Intel or AMD). I am assuming that you are Reverse Engineering for x86 CPU.