问题
I was going through a binary file corresponding to a C program.
I have a very large address stored in %eax.
When tried to see the value via gdb, it prints a negative value (reason here).
Now when mov %eax, 0x4c(%esp) is performed, the resulted value in 0x4c(%esp) is sometimes positive and sometimes negative. This effect cmp $0, 0x4c(%esp) statement that follows!
Can someone please explain this behavior?
If this helps:core: ELF 32-bit LSB core file Intel 80386, version 1 (SYSV), SVR4-style
回答1:
Registers do not have signs; they hold bits. It's up to you how you interpret them. The same holds for the stack: it holds bits, and it's up to you how to interpret them. If you move a value from a register to the stack, the bits are copied. And if you interpret bits on the stack like you interpret bits in a register, you get the same value.
Note that there are instructions which interpret those bits as values - multiply, compare, etcetera. But MOV isn't one of those.
回答2:
The sequence of bit you are copying is always the same, the interpretation may be different though, probably gdb is defaulting to a two's complement 32bit value
how to change gdb output format:
https://sourceware.org/gdb/onlinedocs/gdb/Output-Formats.html
回答3:
If you use the following command in GDB:
print $esp-0x4c
You are actually displaying the address -0x4c(%esp) (i.e.: the value of the register esp plus the offset -0x4c) and not the content located at this address. In order to display the contents of -0x4c(%esp) (i.e.: to see what's actually at this address) you can use the x command:
x $esp-0x4c
来源:https://stackoverflow.com/questions/45690556/very-large-address-copied-as-negative-value