学步园

1. Intel的X86系统是little-endian，

>> cat endian.c<br /> #include <stdio.h><br /> int main()<br /> {<br /> int a = 'A';<br /> printf("%s/n", &a);<br /> }<br /> >> ./a.out<br /> A<br />

2. 代码如下：

>> cat stackdemo.c<br /> #include<stdio.h><br /> void fun(){<br /> printf(">_</n");<br /> printf("/n");<br /> }<br /> int main(int argc,char **argv){<br /> char buf[10];<br /> int *p;<br /> char *c;<br /> int i = 0;<br /> memset(buf, 0, 48);<br /> p = fun;<br /> c = (char*)&p;<br /> for ( i = 0; i < 8; i++)<br /> {<br /> buf[40+i] = c[i];<br /> }<br /> printf("buf address is 0x%8x/n", &buf);<br /> printf("fun address is 0x%8x/n", fun);<br /> return 0;<br /> }<br />

运行结果如下：

>> cc -g2 stackdemo.c<br /> stackdemo.c: In function `main':<br /> stackdemo.c:15: warning: assignment from incompatible pointer type<br /> >> ./a.out<br /> buf address is 0x4787bb30<br /> fun address is 0x 4004c8<br /> >_<<br /> buf address is 0x4787ba70<br /> fun address is 0x 4004c8<br /> >_<<br /> Memory fault(coredump)

在高的GCC版本，如果运行的时候报“*** stack smashing detected ***， 那是因为你的系统默认使用了GCC的“ -fstack-protector"参数导致的，我们只需要在编译的时候 export CFLAGS="-fno-stack-protector"就好。

>> gdb ./a.out<br /> GNU gdb 6.8-debian<br /> Copyright (C) 2008 Free Software Foundation, Inc.<br /> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html><br /> This is free software: you are free to change and redistribute it.<br /> There is NO WARRANTY, to the extent permitted by law. Type "show copying"<br /> and "show warranty" for details.<br /> This GDB was configured as "x86_64-linux-gnu"...<br /> (gdb) list<br /> 2 void fun(){<br /> 3 printf(">_</n");<br /> 4 printf("/n");<br /> 5 }<br /> 6<br /> 7 int main(int argc,char **argv){<br /> 8 char buf[10];<br /> 9 int *p;<br /> 10 char *c;<br /> 11 int i = 0;<br /> (gdb)<br /> 12<br /> 13 memset(buf, 0, 48);<br /> 14<br /> 15 p = fun;<br /> 16 c = (char*)&p;<br /> 17 for ( i = 0; i < 8; i++)<br /> 18 {<br /> 19 buf[40+i] = c[i];<br /> 20 }<br /> 21<br /> (gdb)<br /> 22 printf("buf address is 0x%8x/n", &buf);<br /> 23 printf("fun address is 0x%8x/n", fun);<br /> 24 return 0;<br /> 25 }<br /> (gdb) br 24<br /> Breakpoint 1 at 0x40057c: file stackdemo.c, line 24.<br /> (gdb) r<br /> Starting program: /local/c/a.out<br /> buf address is 0x64fbb220<br /> fun address is 0x 4004c8<br /> Breakpoint 1, main (argc=0, argv=0x0) at stackdemo.c:24<br /> 24 return 0;<br /> (gdb) i r<br /> rax 0x1a 26<br /> rbx 0x7fbf5cfbcc00 140459875486720<br /> rcx 0x7fbf5cd99780 140459873245056<br /> rdx 0x7fbf5cd9a9a0 140459873249696<br /> rsi 0x7fbf5cfb6000 140459875459072<br /> rdi 0x1 1<br /> rbp 0x7fff64fbb240 0x7fff64fbb240<br /> rsp 0x7fff64fbb200 0x7fff64fbb200<br /> r8 0xffffffff 4294967295<br /> r9 0x7fbf5cb5b5c0 140459870893504<br /> r10 0x0 0<br /> r11 0x246 582<br /> r12 0x0 0<br /> r13 0x7fff64fbb320 140734887605024<br /> r14 0x0 0<br /> r15 0x0 0<br /> rip 0x40057c 0x40057c <main+144><br /> eflags 0x202 [ IF ]<br /> cs 0x33 51<br /> ss 0x2b 43<br /> ds 0x0 0<br /> es 0x0 0<br /> fs 0x0 0<br /> gs 0x0 0<br /> fctrl 0x37f 895<br /> fstat 0x0 0<br /> ftag 0xffff 65535<br /> fiseg 0x0 0<br /> fioff 0x0 0<br /> foseg 0x0 0<br /> fooff 0x0 0<br /> fop 0x0 0<br /> mxcsr 0x1f80 [ IM DM ZM OM UM PM ]<br /> (gdb) x/64 0x7fff64fbb200<br /> 0x7fff64fbb200: 0x5cd95778 0x00007fbf 0x004005e5 0x00000008<br /> 0x7fff64fbb210: 0x64fbb218 0x00007fff 0x004004c8 0x00000000<br /> 0x7fff64fbb220: 0x00000000 0x00000000 0x00000000 0x00000000<br /> 0x7fff64fbb230: 0x00000000 0x00000000 0x00000000 0x00000000<br /> 0x7fff64fbb240: 0x00000000 0x00000000 0x004004c8 0x00000000<br /> 0x7fff64fbb250: 0x00400410 0x00000000 0x64fbb328 0x00007fff<br /> 0x7fff64fbb260: 0x00000000 0x00000001 0x004004ec 0x00000000<br /> 0x7fff64fbb270: 0x5cfbcc00 0x00007fbf 0x834c91aa 0x4ada9af4<br /> 0x7fff64fbb280: 0x00000000 0x00000000 0x64fbb320 0x00007fff<br /> 0x7fff64fbb290: 0x00000000 0x00000000 0x00000000 0x00000000<br /> 0x7fff64fbb2a0: 0xe7ec91aa 0xb5245303 0xe1b291aa 0xb5a423bf<br /> 0x7fff64fbb2b0: 0x00000000 0x00000000 0x00000000 0x00000000<br /> 0x7fff64fbb2c0: 0x00000000 0x00000000 0x004005a0 0x00000000<br /> 0x7fff64fbb2d0: 0x64fbb328 0x00007fff 0x00000001 0x00000000<br /> 0x7fff64fbb2e0: 0x00000000 0x00000000 0x00000000 0x00000000<br /> 0x7fff64fbb2f0: 0x00400410 0x00000000 0x64fbb320 0x00007fff<br />

注意：

1. ESP的值总是对的

2. 0x7fff64fbb210: 0x64fbb218      0x00007fff      0x004004c8      0x00000000

地址为“0x00007fff64fbb218”，小端系统，高位在高地址。