Assembly 使用strcpy进行反向工程（堆栈溢出攻击）

c代码如下所示

void foo (char *x){
    int buf[1];
    strcpy((char *) buf, x);
}

void callfoo() {
    foo("abcdefghi");
}

汇编代码foo的一部分是

leal 0xfffffffc(%ebp), %eax
pushl %eax
call 80483c4 <strcpy>
movl %ebp, %esp
popl %ebp
ret

但解决方案说它将填充%ebp~%ebp+0x8。我误解了堆栈结构

解决方案说

B. Immediately before the ret instruction at address of foo, what is the value of the frame pointer register %ebp?

%ebp = 0x68676665

C. Immediately after the ret instruction of foo, what is the value of the program counter register %eip?

%eip = %ebp+8(it is changed by strcpy)

---

我误解了推送指令

push指令是

pushl %ebp

与

subl 0x4, %esp
movl %ebp, (%esp)

---

因此strcpy被填充到%ebp~%ebp+0x8

将

%ebp

视为指针。它指向一个地址，

buf

，它将尝试将您的10字节字符串文字写入该地址。

subl 0x4, %esp
movl %ebp, (%esp)