标签:文件 odata sass csu har inter end one elf
记录一次比较容易引起混淆的地方。
#include <stdio.h>
char *str(void) { return "nihao\n"; } int main() { printf("%s\n", str); }
如上图所示,打印出来的为乱码。
第一反应,字符串 ”nihao“ 是局部变量,从str中返回之后就成乱码了?
char *str(void) { return "nihao"; } .file "return_str.c" .section .rodata .LC0: .string "nihao" .text .globl str .type str, @function str: .LFB0: .cfi_startproc pushl %ebp .cfi_def_cfa_offset 8 .cfi_offset 5, -8 movl %esp, %ebp .cfi_def_cfa_register 5 movl $.LC0, %eax popl %ebp .cfi_restore 5 .cfi_def_cfa 4, 4 ret .cfi_endproc .LFE0: .size str, .-str .ident "GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.9) 5.4.0 20160609" .section .note.GNU-stack,"",@progbits
在.text段,不确定,将地址打印出来看
#include <stdio.h> #include <stdlib.h> int aa; char *test(void) { return "nihao"; } int main() { int bb; static int cc; int *p = (int *)malloc(sizeof(int)); char buff[16] = {0}; printf("%p\n", &aa); printf("%p\n", &bb); printf("%p\n", &cc); printf("%p\n", p); printf("%p\n", "nihao"); printf("%p\n", test); return 0; }
数据不贴出来了,很明显,局部变量bb地址跟其他的地址不一致,所以确定字符串”nihao“不是在栈上,不存在函数退出之后访问不到的情况。
第二反应,返回的是函数地址,通过objdump反汇编,查看返回的的确是函数地址。
a.out: 文件格式 elf32-i386 Disassembly of section .interp: 08048154 <.interp>: 8048154: 2f das 8048155: 6c insb (%dx),%es:(%edi) 8048156: 69 62 2f 6c 64 2d 6c imul $0x6c2d646c,0x2f(%edx),%esp 804815d: 69 6e 75 78 2e 73 6f imul $0x6f732e78,0x75(%esi),%ebp 8048164: 2e 32 00 xor %cs:(%eax),%al Disassembly of section .note.ABI-tag: 08048168 <.note.ABI-tag>: 8048168: 04 00 add $0x0,%al 804816a: 00 00 add %al,(%eax) 804816c: 10 00 adc %al,(%eax) 804816e: 00 00 add %al,(%eax) 8048170: 01 00 add %eax,(%eax) 8048172: 00 00 add %al,(%eax) 8048174: 47 inc %edi 8048175: 4e dec %esi 8048176: 55 push %ebp 8048177: 00 00 add %al,(%eax) 8048179: 00 00 add %al,(%eax) 804817b: 00 02 add %al,(%edx) 804817d: 00 00 add %al,(%eax) 804817f: 00 06 add %al,(%esi) 8048181: 00 00 add %al,(%eax) 8048183: 00 20 add %ah,(%eax) 8048185: 00 00 add %al,(%eax) ... Disassembly of section .note.gnu.build-id: 08048188 <.note.gnu.build-id>: 8048188: 04 00 add $0x0,%al 804818a: 00 00 add %al,(%eax) 804818c: 14 00 adc $0x0,%al 804818e: 00 00 add %al,(%eax) 8048190: 03 00 add (%eax),%eax 8048192: 00 00 add %al,(%eax) 8048194: 47 inc %edi 8048195: 4e dec %esi 8048196: 55 push %ebp 8048197: 00 e4 add %ah,%ah 8048199: 0a 2a or (%edx),%ch 804819b: 3c f8 cmp $0xf8,%al 804819d: ca 5a 61 lret $0x615a 80481a0: 85 66 5d test %esp,0x5d(%esi) 80481a3: 91 xchg %eax,%ecx 80481a4: 72 b5 jb 804815b <_init-0x1b5> 80481a6: ca 36 17 lret $0x1736 80481a9: 77 9f ja 804814a <_init-0x1c6> 80481ab: 50 push %eax Disassembly of section .gnu.hash: 080481ac <.gnu.hash>: 80481ac: 02 00 add (%eax),%al 80481ae: 00 00 add %al,(%eax) 80481b0: 06 push %es 80481b1: 00 00 add %al,(%eax) 80481b3: 00 01 add %al,(%ecx) 80481b5: 00 00 add %al,(%eax) 80481b7: 00 05 00 00 00 00 add %al,0x0 80481bd: 20 00 and %al,(%eax) 80481bf: 20 00 and %al,(%eax) 80481c1: 00 00 add %al,(%eax) 80481c3: 00 06 add %al,(%esi) 80481c5: 00 00 add %al,(%eax) 80481c7: 00 .byte 0x0 80481c8: ad lods %ds:(%esi),%eax 80481c9: 4b dec %ebx 80481ca: e3 c0 jecxz 804818c <_init-0x184> Disassembly of section .dynsym: 080481cc <.dynsym>: ... 80481dc: 2b 00 sub (%eax),%eax ... 80481e6: 00 00 add %al,(%eax) 80481e8: 12 00 adc (%eax),%al 80481ea: 00 00 add %al,(%eax) 80481ec: 1a 00 sbb (%eax),%al ... 80481f6: 00 00 add %al,(%eax) 80481f8: 12 00 adc (%eax),%al 80481fa: 00 00 add %al,(%eax) 80481fc: 32 00 xor (%eax),%al ... 8048206: 00 00 add %al,(%eax) 8048208: 12 00 adc (%eax),%al 804820a: 00 00 add %al,(%eax) 804820c: 4b dec %ebx ... 8048215: 00 00 add %al,(%eax) 8048217: 00 20 add %ah,(%eax) 8048219: 00 00 add %al,(%eax) 804821b: 00 39 add %bh,(%ecx) ... 8048225: 00 00 add %al,(%eax) 8048227: 00 12 add %dl,(%edx) 8048229: 00 00 add %al,(%eax) 804822b: 00 0b add %cl,(%ebx) 804822d: 00 00 add %al,(%eax) 804822f: 00 ec add %ch,%ah 8048231: 85 04 08 test %eax,(%eax,%ecx,1) 8048234: 04 00 add $0x0,%al 8048236: 00 00 add %al,(%eax) 8048238: 11 00 adc %eax,(%eax) 804823a: 10 00 adc %al,(%eax) Disassembly of section .dynstr: 0804823c <.dynstr>: 804823c: 00 6c 69 62 add %ch,0x62(%ecx,%ebp,2) 8048240: 63 2e arpl %bp,(%esi) 8048242: 73 6f jae 80482b3 <_init-0x5d> 8048244: 2e 36 00 5f 49 cs add %bl,%ss:0x49(%edi) 8048249: 4f dec %edi 804824a: 5f pop %edi 804824b: 73 74 jae 80482c1 <_init-0x4f> 804824d: 64 69 6e 5f 75 73 65 imul $0x64657375,%fs:0x5f(%esi),%ebp 8048254: 64 8048255: 00 5f 5f add %bl,0x5f(%edi) 8048258: 73 74 jae 80482ce <_init-0x42> 804825a: 61 popa 804825b: 63 6b 5f arpl %bp,0x5f(%ebx) 804825e: 63 68 6b arpl %bp,0x6b(%eax) 8048261: 5f pop %edi 8048262: 66 61 popaw 8048264: 69 6c 00 70 72 69 6e imul $0x746e6972,0x70(%eax,%eax,1),%ebp 804826b: 74 804826c: 66 00 6d 61 data16 add %ch,0x61(%ebp) 8048270: 6c insb (%dx),%es:(%edi) 8048271: 6c insb (%dx),%es:(%edi) 8048272: 6f outsl %ds:(%esi),(%dx) 8048273: 63 00 arpl %ax,(%eax) 8048275: 5f pop %edi 8048276: 5f pop %edi 8048277: 6c insb (%dx),%es:(%edi) 8048278: 69 62 63 5f 73 74 61 imul $0x6174735f,0x63(%edx),%esp 804827f: 72 74 jb 80482f5 <_init-0x1b> 8048281: 5f pop %edi 8048282: 6d insl (%dx),%es:(%edi) 8048283: 61 popa 8048284: 69 6e 00 5f 5f 67 6d imul $0x6d675f5f,0x0(%esi),%ebp 804828b: 6f outsl %ds:(%esi),(%dx) 804828c: 6e outsb %ds:(%esi),(%dx) 804828d: 5f pop %edi 804828e: 73 74 jae 8048304 <_init-0xc> 8048290: 61 popa 8048291: 72 74 jb 8048307 <_init-0x9> 8048293: 5f pop %edi 8048294: 5f pop %edi 8048295: 00 47 4c add %al,0x4c(%edi) 8048298: 49 dec %ecx 8048299: 42 inc %edx 804829a: 43 inc %ebx 804829b: 5f pop %edi 804829c: 32 2e xor (%esi),%ch 804829e: 34 00 xor $0x0,%al 80482a0: 47 inc %edi 80482a1: 4c dec %esp 80482a2: 49 dec %ecx 80482a3: 42 inc %edx 80482a4: 43 inc %ebx 80482a5: 5f pop %edi 80482a6: 32 2e xor (%esi),%ch 80482a8: 30 00 xor %al,(%eax) Disassembly of section .gnu.version: 080482aa <.gnu.version>: 80482aa: 00 00 add %al,(%eax) 80482ac: 02 00 add (%eax),%al 80482ae: 03 00 add (%eax),%eax 80482b0: 02 00 add (%eax),%al 80482b2: 00 00 add %al,(%eax) 80482b4: 02 00 add (%eax),%al 80482b6: 01 00 add %eax,(%eax) Disassembly of section .gnu.version_r: 080482b8 <.gnu.version_r>: 80482b8: 01 00 add %eax,(%eax) 80482ba: 02 00 add (%eax),%al 80482bc: 01 00 add %eax,(%eax) 80482be: 00 00 add %al,(%eax) 80482c0: 10 00 adc %al,(%eax) 80482c2: 00 00 add %al,(%eax) 80482c4: 00 00 add %al,(%eax) 80482c6: 00 00 add %al,(%eax) 80482c8: 14 69 adc $0x69,%al 80482ca: 69 0d 00 00 03 00 5a imul $0x5a,0x30000,%ecx 80482d1: 00 00 00 80482d4: 10 00 adc %al,(%eax) 80482d6: 00 00 add %al,(%eax) 80482d8: 10 69 69 adc %ch,0x69(%ecx) 80482db: 0d 00 00 02 00 or $0x20000,%eax 80482e0: 64 00 00 add %al,%fs:(%eax) 80482e3: 00 00 add %al,(%eax) 80482e5: 00 00 add %al,(%eax) ... Disassembly of section .rel.dyn: 080482e8 <.rel.dyn>: 80482e8: fc cld 80482e9: 9f lahf 80482ea: 04 08 add $0x8,%al 80482ec: 06 push %es 80482ed: 04 00 add $0x0,%al ... Disassembly of section .rel.plt: 080482f0 <.rel.plt>: 80482f0: 0c a0 or $0xa0,%al 80482f2: 04 08 add $0x8,%al 80482f4: 07 pop %es 80482f5: 01 00 add %eax,(%eax) 80482f7: 00 10 add %dl,(%eax) 80482f9: a0 04 08 07 02 mov 0x2070804,%al 80482fe: 00 00 add %al,(%eax) 8048300: 14 a0 adc $0xa0,%al 8048302: 04 08 add $0x8,%al 8048304: 07 pop %es 8048305: 03 00 add (%eax),%eax 8048307: 00 18 add %bl,(%eax) 8048309: a0 04 08 07 05 mov 0x5070804,%al ... Disassembly of section .init: 08048310 <_init>: 8048310: 53 push %ebx 8048311: 83 ec 08 sub $0x8,%esp 8048314: e8 b7 00 00 00 call 80483d0 <__x86.get_pc_thunk.bx> 8048319: 81 c3 e7 1c 00 00 add $0x1ce7,%ebx 804831f: 8b 83 fc ff ff ff mov -0x4(%ebx),%eax 8048325: 85 c0 test %eax,%eax 8048327: 74 05 je 804832e <_init+0x1e> 8048329: e8 62 00 00 00 call 8048390 <__libc_start_main@plt+0x10> 804832e: 83 c4 08 add $0x8,%esp 8048331: 5b pop %ebx 8048332: c3 ret Disassembly of section .plt: 08048340 <printf@plt-0x10>: 8048340: ff 35 04 a0 04 08 pushl 0x804a004 8048346: ff 25 08 a0 04 08 jmp *0x804a008 804834c: 00 00 add %al,(%eax) ... 08048350 <printf@plt>: 8048350: ff 25 0c a0 04 08 jmp *0x804a00c 8048356: 68 00 00 00 00 push $0x0 804835b: e9 e0 ff ff ff jmp 8048340 <_init+0x30> 08048360 <__stack_chk_fail@plt>: 8048360: ff 25 10 a0 04 08 jmp *0x804a010 8048366: 68 08 00 00 00 push $0x8 804836b: e9 d0 ff ff ff jmp 8048340 <_init+0x30> 08048370 <malloc@plt>: 8048370: ff 25 14 a0 04 08 jmp *0x804a014 8048376: 68 10 00 00 00 push $0x10 804837b: e9 c0 ff ff ff jmp 8048340 <_init+0x30> 08048380 <__libc_start_main@plt>: 8048380: ff 25 18 a0 04 08 jmp *0x804a018 8048386: 68 18 00 00 00 push $0x18 804838b: e9 b0 ff ff ff jmp 8048340 <_init+0x30> Disassembly of section .plt.got: 08048390 <.plt.got>: 8048390: ff 25 fc 9f 04 08 jmp *0x8049ffc 8048396: 66 90 xchg %ax,%ax Disassembly of section .text: 080483a0 <_start>: 80483a0: 31 ed xor %ebp,%ebp 80483a2: 5e pop %esi 80483a3: 89 e1 mov %esp,%ecx 80483a5: 83 e4 f0 and $0xfffffff0,%esp 80483a8: 50 push %eax 80483a9: 54 push %esp 80483aa: 52 push %edx 80483ab: 68 d0 85 04 08 push $0x80485d0 80483b0: 68 70 85 04 08 push $0x8048570 80483b5: 51 push %ecx 80483b6: 56 push %esi 80483b7: 68 a5 84 04 08 push $0x80484a5 80483bc: e8 bf ff ff ff call 8048380 <__libc_start_main@plt> 80483c1: f4 hlt 80483c2: 66 90 xchg %ax,%ax 80483c4: 66 90 xchg %ax,%ax 80483c6: 66 90 xchg %ax,%ax 80483c8: 66 90 xchg %ax,%ax 80483ca: 66 90 xchg %ax,%ax 80483cc: 66 90 xchg %ax,%ax 80483ce: 66 90 xchg %ax,%ax 080483d0 <__x86.get_pc_thunk.bx>: 80483d0: 8b 1c 24 mov (%esp),%ebx 80483d3: c3 ret 80483d4: 66 90 xchg %ax,%ax 80483d6: 66 90 xchg %ax,%ax 80483d8: 66 90 xchg %ax,%ax 80483da: 66 90 xchg %ax,%ax 80483dc: 66 90 xchg %ax,%ax 80483de: 66 90 xchg %ax,%ax 080483e0 <deregister_tm_clones>: 80483e0: b8 27 a0 04 08 mov $0x804a027,%eax 80483e5: 2d 24 a0 04 08 sub $0x804a024,%eax 80483ea: 83 f8 06 cmp $0x6,%eax 80483ed: 76 1a jbe 8048409 <deregister_tm_clones+0x29> 80483ef: b8 00 00 00 00 mov $0x0,%eax 80483f4: 85 c0 test %eax,%eax 80483f6: 74 11 je 8048409 <deregister_tm_clones+0x29> 80483f8: 55 push %ebp 80483f9: 89 e5 mov %esp,%ebp 80483fb: 83 ec 14 sub $0x14,%esp 80483fe: 68 24 a0 04 08 push $0x804a024 8048403: ff d0 call *%eax 8048405: 83 c4 10 add $0x10,%esp 8048408: c9 leave 8048409: f3 c3 repz ret 804840b: 90 nop 804840c: 8d 74 26 00 lea 0x0(%esi,%eiz,1),%esi 08048410 <register_tm_clones>: 8048410: b8 24 a0 04 08 mov $0x804a024,%eax 8048415: 2d 24 a0 04 08 sub $0x804a024,%eax 804841a: c1 f8 02 sar $0x2,%eax 804841d: 89 c2 mov %eax,%edx 804841f: c1 ea 1f shr $0x1f,%edx 8048422: 01 d0 add %edx,%eax 8048424: d1 f8 sar %eax 8048426: 74 1b je 8048443 <register_tm_clones+0x33> 8048428: ba 00 00 00 00 mov $0x0,%edx 804842d: 85 d2 test %edx,%edx 804842f: 74 12 je 8048443 <register_tm_clones+0x33> 8048431: 55 push %ebp 8048432: 89 e5 mov %esp,%ebp 8048434: 83 ec 10 sub $0x10,%esp 8048437: 50 push %eax 8048438: 68 24 a0 04 08 push $0x804a024 804843d: ff d2 call *%edx 804843f: 83 c4 10 add $0x10,%esp 8048442: c9 leave 8048443: f3 c3 repz ret 8048445: 8d 74 26 00 lea 0x0(%esi,%eiz,1),%esi 8048449: 8d bc 27 00 00 00 00 lea 0x0(%edi,%eiz,1),%edi 08048450 <__do_global_dtors_aux>: 8048450: 80 3d 24 a0 04 08 00 cmpb $0x0,0x804a024 8048457: 75 13 jne 804846c <__do_global_dtors_aux+0x1c> 8048459: 55 push %ebp 804845a: 89 e5 mov %esp,%ebp 804845c: 83 ec 08 sub $0x8,%esp 804845f: e8 7c ff ff ff call 80483e0 <deregister_tm_clones> 8048464: c6 05 24 a0 04 08 01 movb $0x1,0x804a024 804846b: c9 leave 804846c: f3 c3 repz ret 804846e: 66 90 xchg %ax,%ax 08048470 <frame_dummy>: 8048470: b8 10 9f 04 08 mov $0x8049f10,%eax 8048475: 8b 10 mov (%eax),%edx 8048477: 85 d2 test %edx,%edx 8048479: 75 05 jne 8048480 <frame_dummy+0x10> 804847b: eb 93 jmp 8048410 <register_tm_clones> 804847d: 8d 76 00 lea 0x0(%esi),%esi 8048480: ba 00 00 00 00 mov $0x0,%edx 8048485: 85 d2 test %edx,%edx 8048487: 74 f2 je 804847b <frame_dummy+0xb> 8048489: 55 push %ebp 804848a: 89 e5 mov %esp,%ebp 804848c: 83 ec 14 sub $0x14,%esp 804848f: 50 push %eax 8048490: ff d2 call *%edx 8048492: 83 c4 10 add $0x10,%esp 8048495: c9 leave 8048496: e9 75 ff ff ff jmp 8048410 <register_tm_clones> 0804849b <test>: 804849b: 55 push %ebp 804849c: 89 e5 mov %esp,%ebp 804849e: b8 f0 85 04 08 mov $0x80485f0,%eax 80484a3: 5d pop %ebp 80484a4: c3 ret 080484a5 <main>: 80484a5: 8d 4c 24 04 lea 0x4(%esp),%ecx 80484a9: 83 e4 f0 and $0xfffffff0,%esp 80484ac: ff 71 fc pushl -0x4(%ecx) 80484af: 55 push %ebp 80484b0: 89 e5 mov %esp,%ebp 80484b2: 51 push %ecx 80484b3: 83 ec 14 sub $0x14,%esp 80484b6: 65 a1 14 00 00 00 mov %gs:0x14,%eax 80484bc: 89 45 f4 mov %eax,-0xc(%ebp) 80484bf: 31 c0 xor %eax,%eax 80484c1: 83 ec 0c sub $0xc,%esp 80484c4: 6a 04 push $0x4 80484c6: e8 a5 fe ff ff call 8048370 <malloc@plt> 80484cb: 83 c4 10 add $0x10,%esp 80484ce: 89 45 f0 mov %eax,-0x10(%ebp) 80484d1: 83 ec 08 sub $0x8,%esp 80484d4: 68 2c a0 04 08 push $0x804a02c 80484d9: 68 f6 85 04 08 push $0x80485f6 80484de: e8 6d fe ff ff call 8048350 <printf@plt> 80484e3: 83 c4 10 add $0x10,%esp 80484e6: 83 ec 08 sub $0x8,%esp 80484e9: 8d 45 ec lea -0x14(%ebp),%eax 80484ec: 50 push %eax 80484ed: 68 f6 85 04 08 push $0x80485f6 80484f2: e8 59 fe ff ff call 8048350 <printf@plt> 80484f7: 83 c4 10 add $0x10,%esp 80484fa: 83 ec 08 sub $0x8,%esp 80484fd: 68 28 a0 04 08 push $0x804a028 8048502: 68 f6 85 04 08 push $0x80485f6 8048507: e8 44 fe ff ff call 8048350 <printf@plt> 804850c: 83 c4 10 add $0x10,%esp 804850f: 83 ec 08 sub $0x8,%esp 8048512: ff 75 f0 pushl -0x10(%ebp) 8048515: 68 f6 85 04 08 push $0x80485f6 804851a: e8 31 fe ff ff call 8048350 <printf@plt> 804851f: 83 c4 10 add $0x10,%esp 8048522: 83 ec 08 sub $0x8,%esp 8048525: 68 f0 85 04 08 push $0x80485f0 804852a: 68 f6 85 04 08 push $0x80485f6 804852f: e8 1c fe ff ff call 8048350 <printf@plt> 8048534: 83 c4 10 add $0x10,%esp 8048537: 83 ec 08 sub $0x8,%esp 804853a: 68 9b 84 04 08 push $0x804849b 804853f: 68 f6 85 04 08 push $0x80485f6 8048544: e8 07 fe ff ff call 8048350 <printf@plt> 8048549: 83 c4 10 add $0x10,%esp 804854c: b8 00 00 00 00 mov $0x0,%eax 8048551: 8b 55 f4 mov -0xc(%ebp),%edx 8048554: 65 33 15 14 00 00 00 xor %gs:0x14,%edx 804855b: 74 05 je 8048562 <main+0xbd> 804855d: e8 fe fd ff ff call 8048360 <__stack_chk_fail@plt> 8048562: 8b 4d fc mov -0x4(%ebp),%ecx 8048565: c9 leave 8048566: 8d 61 fc lea -0x4(%ecx),%esp 8048569: c3 ret 804856a: 66 90 xchg %ax,%ax 804856c: 66 90 xchg %ax,%ax 804856e: 66 90 xchg %ax,%ax 08048570 <__libc_csu_init>: 8048570: 55 push %ebp 8048571: 57 push %edi 8048572: 56 push %esi 8048573: 53 push %ebx 8048574: e8 57 fe ff ff call 80483d0 <__x86.get_pc_thunk.bx> 8048579: 81 c3 87 1a 00 00 add $0x1a87,%ebx 804857f: 83 ec 0c sub $0xc,%esp 8048582: 8b 6c 24 20 mov 0x20(%esp),%ebp 8048586: 8d b3 0c ff ff ff lea -0xf4(%ebx),%esi 804858c: e8 7f fd ff ff call 8048310 <_init> 8048591: 8d 83 08 ff ff ff lea -0xf8(%ebx),%eax 8048597: 29 c6 sub %eax,%esi 8048599: c1 fe 02 sar $0x2,%esi 804859c: 85 f6 test %esi,%esi 804859e: 74 25 je 80485c5 <__libc_csu_init+0x55> 80485a0: 31 ff xor %edi,%edi 80485a2: 8d b6 00 00 00 00 lea 0x0(%esi),%esi 80485a8: 83 ec 04 sub $0x4,%esp 80485ab: ff 74 24 2c pushl 0x2c(%esp) 80485af: ff 74 24 2c pushl 0x2c(%esp) 80485b3: 55 push %ebp 80485b4: ff 94 bb 08 ff ff ff call *-0xf8(%ebx,%edi,4) 80485bb: 83 c7 01 add $0x1,%edi 80485be: 83 c4 10 add $0x10,%esp 80485c1: 39 f7 cmp %esi,%edi 80485c3: 75 e3 jne 80485a8 <__libc_csu_init+0x38> 80485c5: 83 c4 0c add $0xc,%esp 80485c8: 5b pop %ebx 80485c9: 5e pop %esi 80485ca: 5f pop %edi 80485cb: 5d pop %ebp 80485cc: c3 ret 80485cd: 8d 76 00 lea 0x0(%esi),%esi 080485d0 <__libc_csu_fini>: 80485d0: f3 c3 repz ret Disassembly of section .fini: 080485d4 <_fini>: 80485d4: 53 push %ebx 80485d5: 83 ec 08 sub $0x8,%esp 80485d8: e8 f3 fd ff ff call 80483d0 <__x86.get_pc_thunk.bx> 80485dd: 81 c3 23 1a 00 00 add $0x1a23,%ebx 80485e3: 83 c4 08 add $0x8,%esp 80485e6: 5b pop %ebx 80485e7: c3 ret Disassembly of section .rodata: 080485e8 <_fp_hw>: 80485e8: 03 00 add (%eax),%eax ... 080485ec <_IO_stdin_used>: 80485ec: 01 00 add %eax,(%eax) 80485ee: 02 00 add (%eax),%al 80485f0: 6e outsb %ds:(%esi),(%dx) 80485f1: 69 68 61 6f 00 25 70 imul $0x7025006f,0x61(%eax),%ebp 80485f8: 0a 00 or (%eax),%al Disassembly of section .eh_frame_hdr: 080485fc <__GNU_EH_FRAME_HDR>: 80485fc: 01 1b add %ebx,(%ebx) 80485fe: 03 3b add (%ebx),%edi 8048600: 30 00 xor %al,(%eax) 8048602: 00 00 add %al,(%eax) 8048604: 05 00 00 00 44 add $0x44000000,%eax 8048609: fd std 804860a: ff (bad) 804860b: ff 4c 00 00 decl 0x0(%eax,%eax,1) 804860f: 00 9f fe ff ff 70 add %bl,0x70fffffe(%edi) 8048615: 00 00 add %al,(%eax) 8048617: 00 a9 fe ff ff 90 add %ch,-0x6f000002(%ecx) 804861d: 00 00 add %al,(%eax) 804861f: 00 74 ff ff add %dh,-0x1(%edi,%edi,8) 8048623: ff (bad) 8048624: bc 00 00 00 d4 mov $0xd4000000,%esp 8048629: ff (bad) 804862a: ff (bad) 804862b: ff 08 decl (%eax) 804862d: 01 00 add %eax,(%eax) ... Disassembly of section .eh_frame: 08048630 <__FRAME_END__-0xe8>: 8048630: 14 00 adc $0x0,%al 8048632: 00 00 add %al,(%eax) 8048634: 00 00 add %al,(%eax) 8048636: 00 00 add %al,(%eax) 8048638: 01 7a 52 add %edi,0x52(%edx) 804863b: 00 01 add %al,(%ecx) 804863d: 7c 08 jl 8048647 <__GNU_EH_FRAME_HDR+0x4b> 804863f: 01 1b add %ebx,(%ebx) 8048641: 0c 04 or $0x4,%al 8048643: 04 88 add $0x88,%al 8048645: 01 00 add %eax,(%eax) 8048647: 00 20 add %ah,(%eax) 8048649: 00 00 add %al,(%eax) 804864b: 00 1c 00 add %bl,(%eax,%eax,1) 804864e: 00 00 add %al,(%eax) 8048650: f0 fc lock cld 8048652: ff (bad) 8048653: ff 50 00 call *0x0(%eax) 8048656: 00 00 add %al,(%eax) 8048658: 00 0e add %cl,(%esi) 804865a: 08 46 0e or %al,0xe(%esi) 804865d: 0c 4a or $0x4a,%al 804865f: 0f 0b ud2 8048661: 74 04 je 8048667 <__GNU_EH_FRAME_HDR+0x6b> 8048663: 78 00 js 8048665 <__GNU_EH_FRAME_HDR+0x69> 8048665: 3f aas 8048666: 1a 3b sbb (%ebx),%bh 8048668: 2a 32 sub (%edx),%dh 804866a: 24 22 and $0x22,%al 804866c: 1c 00 sbb $0x0,%al 804866e: 00 00 add %al,(%eax) 8048670: 40 inc %eax 8048671: 00 00 add %al,(%eax) 8048673: 00 27 add %ah,(%edi) 8048675: fe (bad) 8048676: ff (bad) 8048677: ff 0a decl (%edx) 8048679: 00 00 add %al,(%eax) 804867b: 00 00 add %al,(%eax) 804867d: 41 inc %ecx 804867e: 0e push %cs 804867f: 08 85 02 42 0d 05 or %al,0x50d4202(%ebp) 8048685: 46 inc %esi 8048686: c5 0c 04 lds (%esp,%eax,1),%ecx 8048689: 04 00 add $0x0,%al 804868b: 00 28 add %ch,(%eax) 804868d: 00 00 add %al,(%eax) 804868f: 00 60 00 add %ah,0x0(%eax) 8048692: 00 00 add %al,(%eax) 8048694: 11 fe adc %edi,%esi 8048696: ff (bad) 8048697: ff c5 inc %ebp 8048699: 00 00 add %al,(%eax) 804869b: 00 00 add %al,(%eax) 804869d: 44 inc %esp 804869e: 0c 01 or $0x1,%al 80486a0: 00 47 10 add %al,0x10(%edi) 80486a3: 05 02 75 00 43 add $0x43007502,%eax 80486a8: 0f 03 75 7c lsl 0x7c(%ebp),%esi 80486ac: 06 push %es 80486ad: 02 b2 0c 01 00 41 add 0x4100010c(%edx),%dh 80486b3: c5 43 0c lds 0xc(%ebx),%eax 80486b6: 04 04 add $0x4,%al 80486b8: 48 dec %eax 80486b9: 00 00 add %al,(%eax) 80486bb: 00 8c 00 00 00 b0 fe add %cl,-0x1500000(%eax,%eax,1) 80486c2: ff (bad) 80486c3: ff 5d 00 lcall *0x0(%ebp) 80486c6: 00 00 add %al,(%eax) 80486c8: 00 41 0e add %al,0xe(%ecx) 80486cb: 08 85 02 41 0e 0c or %al,0xc0e4102(%ebp) 80486d1: 87 03 xchg %eax,(%ebx) 80486d3: 41 inc %ecx 80486d4: 0e push %cs 80486d5: 10 86 04 41 0e 14 adc %al,0x140e4104(%esi) 80486db: 83 05 4e 0e 20 69 0e addl $0xe,0x69200e4e 80486e2: 24 44 and $0x44,%al 80486e4: 0e push %cs 80486e5: 28 44 0e 2c sub %al,0x2c(%esi,%ecx,1) 80486e9: 41 inc %ecx 80486ea: 0e push %cs 80486eb: 30 4d 0e xor %cl,0xe(%ebp) 80486ee: 20 47 0e and %al,0xe(%edi) 80486f1: 14 41 adc $0x41,%al 80486f3: c3 ret 80486f4: 0e push %cs 80486f5: 10 41 c6 adc %al,-0x3a(%ecx) 80486f8: 0e push %cs 80486f9: 0c 41 or $0x41,%al 80486fb: c7 (bad) 80486fc: 0e push %cs 80486fd: 08 41 c5 or %al,-0x3b(%ecx) 8048700: 0e push %cs 8048701: 04 00 add $0x0,%al 8048703: 00 10 add %dl,(%eax) 8048705: 00 00 add %al,(%eax) 8048707: 00 d8 add %bl,%al 8048709: 00 00 add %al,(%eax) 804870b: 00 c4 add %al,%ah 804870d: fe (bad) 804870e: ff (bad) 804870f: ff 02 incl (%edx) 8048711: 00 00 add %al,(%eax) 8048713: 00 00 add %al,(%eax) 8048715: 00 00 add %al,(%eax) ... 08048718 <__FRAME_END__>: 8048718: 00 00 add %al,(%eax) ... Disassembly of section .init_array: 08049f08 <__frame_dummy_init_array_entry>: 8049f08: 70 84 jo 8049e8e <__FRAME_END__+0x1776> 8049f0a: 04 08 add $0x8,%al Disassembly of section .fini_array: 08049f0c <__do_global_dtors_aux_fini_array_entry>: 8049f0c: 50 push %eax 8049f0d: 84 04 08 test %al,(%eax,%ecx,1) Disassembly of section .jcr: 08049f10 <__JCR_END__>: 8049f10: 00 00 add %al,(%eax) ... Disassembly of section .dynamic: 08049f14 <_DYNAMIC>: 8049f14: 01 00 add %eax,(%eax) 8049f16: 00 00 add %al,(%eax) 8049f18: 01 00 add %eax,(%eax) 8049f1a: 00 00 add %al,(%eax) 8049f1c: 0c 00 or $0x0,%al 8049f1e: 00 00 add %al,(%eax) 8049f20: 10 83 04 08 0d 00 adc %al,0xd0804(%ebx) 8049f26: 00 00 add %al,(%eax) 8049f28: d4 85 aam $0x85 8049f2a: 04 08 add $0x8,%al 8049f2c: 19 00 sbb %eax,(%eax) 8049f2e: 00 00 add %al,(%eax) 8049f30: 08 9f 04 08 1b 00 or %bl,0x1b0804(%edi) 8049f36: 00 00 add %al,(%eax) 8049f38: 04 00 add $0x0,%al 8049f3a: 00 00 add %al,(%eax) 8049f3c: 1a 00 sbb (%eax),%al 8049f3e: 00 00 add %al,(%eax) 8049f40: 0c 9f or $0x9f,%al 8049f42: 04 08 add $0x8,%al 8049f44: 1c 00 sbb $0x0,%al 8049f46: 00 00 add %al,(%eax) 8049f48: 04 00 add $0x0,%al 8049f4a: 00 00 add %al,(%eax) 8049f4c: f5 cmc 8049f4d: fe (bad) 8049f4e: ff 6f ac ljmp *-0x54(%edi) 8049f51: 81 04 08 05 00 00 00 addl $0x5,(%eax,%ecx,1) 8049f58: 3c 82 cmp $0x82,%al 8049f5a: 04 08 add $0x8,%al 8049f5c: 06 push %es 8049f5d: 00 00 add %al,(%eax) 8049f5f: 00 cc add %cl,%ah 8049f61: 81 04 08 0a 00 00 00 addl $0xa,(%eax,%ecx,1) 8049f68: 6e outsb %ds:(%esi),(%dx) 8049f69: 00 00 add %al,(%eax) 8049f6b: 00 0b add %cl,(%ebx) 8049f6d: 00 00 add %al,(%eax) 8049f6f: 00 10 add %dl,(%eax) 8049f71: 00 00 add %al,(%eax) 8049f73: 00 15 00 00 00 00 add %dl,0x0 8049f79: 00 00 add %al,(%eax) 8049f7b: 00 03 add %al,(%ebx) 8049f7d: 00 00 add %al,(%eax) 8049f7f: 00 00 add %al,(%eax) 8049f81: a0 04 08 02 00 mov 0x20804,%al 8049f86: 00 00 add %al,(%eax) 8049f88: 20 00 and %al,(%eax) 8049f8a: 00 00 add %al,(%eax) 8049f8c: 14 00 adc $0x0,%al 8049f8e: 00 00 add %al,(%eax) 8049f90: 11 00 adc %eax,(%eax) 8049f92: 00 00 add %al,(%eax) 8049f94: 17 pop %ss 8049f95: 00 00 add %al,(%eax) 8049f97: 00 f0 add %dh,%al 8049f99: 82 (bad) 8049f9a: 04 08 add $0x8,%al 8049f9c: 11 00 adc %eax,(%eax) 8049f9e: 00 00 add %al,(%eax) 8049fa0: e8 82 04 08 12 call 1a0ca427 <_end+0x120803f7> 8049fa5: 00 00 add %al,(%eax) 8049fa7: 00 08 add %cl,(%eax) 8049fa9: 00 00 add %al,(%eax) 8049fab: 00 13 add %dl,(%ebx) 8049fad: 00 00 add %al,(%eax) 8049faf: 00 08 add %cl,(%eax) 8049fb1: 00 00 add %al,(%eax) 8049fb3: 00 fe add %bh,%dh 8049fb5: ff (bad) 8049fb6: ff 6f b8 ljmp *-0x48(%edi) 8049fb9: 82 (bad) 8049fba: 04 08 add $0x8,%al 8049fbc: ff (bad) 8049fbd: ff (bad) 8049fbe: ff 6f 01 ljmp *0x1(%edi) 8049fc1: 00 00 add %al,(%eax) 8049fc3: 00 f0 add %dh,%al 8049fc5: ff (bad) 8049fc6: ff 6f aa ljmp *-0x56(%edi) 8049fc9: 82 (bad) 8049fca: 04 08 add $0x8,%al ... Disassembly of section .got: 08049ffc <.got>: 8049ffc: 00 00 add %al,(%eax) ... Disassembly of section .got.plt: 0804a000 <_GLOBAL_OFFSET_TABLE_>: 804a000: 14 9f adc $0x9f,%al 804a002: 04 08 add $0x8,%al ... 804a00c: 56 push %esi 804a00d: 83 04 08 66 addl $0x66,(%eax,%ecx,1) 804a011: 83 04 08 76 addl $0x76,(%eax,%ecx,1) 804a015: 83 04 08 86 addl $0xffffff86,(%eax,%ecx,1) 804a019: 83 .byte 0x83 804a01a: 04 08 add $0x8,%al Disassembly of section .data: 0804a01c <__data_start>: 804a01c: 00 00 add %al,(%eax) ... 0804a020 <__dso_handle>: 804a020: 00 00 add %al,(%eax) ... Disassembly of section .bss: 0804a024 <__bss_start>: 804a024: 00 00 add %al,(%eax) ... 0804a028 <cc.2459>: 804a028: 00 00 add %al,(%eax) ... 0804a02c <aa>: 804a02c: 00 00 add %al,(%eax) ... Disassembly of section .comment: 00000000 <.comment>: 0: 47 inc %edi 1: 43 inc %ebx 2: 43 inc %ebx 3: 3a 20 cmp (%eax),%ah 5: 28 55 62 sub %dl,0x62(%ebp) 8: 75 6e jne 78 <_init-0x8048298> a: 74 75 je 81 <_init-0x804828f> c: 20 35 2e 34 2e 30 and %dh,0x302e342e 12: 2d 36 75 62 75 sub $0x75627536,%eax 17: 6e outsb %ds:(%esi),(%dx) 18: 74 75 je 8f <_init-0x8048281> 1a: 31 7e 31 xor %edi,0x31(%esi) 1d: 36 2e 30 34 2e ss xor %dh,%cs:(%esi,%ebp,1) 22: 39 29 cmp %ebp,(%ecx) 24: 20 35 2e 34 2e 30 and %dh,0x302e342e 2a: 20 32 and %dh,(%edx) 2c: 30 31 xor %dh,(%ecx) 2e: 36 30 36 xor %dh,%ss:(%esi) 31: 30 39 xor %bh,(%ecx) ...
继续懵逼,为什么strcpy可以返回指针,还特地找来glibc的code看了一下,没看到啥特殊处理。
又写了一个demo
int *test() { int *p = NULL; p = (int *)malloc(sizeof(int)); printf("...%p\n", p); return p; } int main() { int *pp = test(); printf("%p\n", test); printf("%p\n", pp); }
最后终于瞅出来了
test() 是函数调用,打印时候是return的地址。
test 表示的是函数的指针。
学习任何东西,总有一个经常反复,越来越熟悉的过程。
有些觉得会了的东西,掌握的可能不够不透彻。
标签:文件 odata sass csu har inter end one elf
原文地址:https://www.cnblogs.com/rivsidn/p/9236423.html
