问题
I am reading the book Hacking: The Art of Exploitation, 2nd Edition and in the simple C program
#include <stdio.h>
int main()
{
int i;
for (i = 0; i < 10; i++)
{
puts("Hello, world!\n");
}
return 0;
}
The book lists that the gdb debug will modify the ebp register first:
(gdb) x/i $eip 0x8048384 <main+16>: mov DWORD PTR [ebp-4],0x0
As it explains that This assembly instruction will move the value of 0 into memory located at the address stored in the EBP register, minus 4. This is where the C vari- able i is stored in memory; i was declared as an integer that uses 4 bytes of memory on the x86 processor
This makes sense for me, but when I test the exactly step on my "very old I386" Linux Laptop, here is what I got:
(gdb) x/i $eip => 0x4011b6 <main+29>: mov DWORD PTR [ebp-0xc],0x0
So on my laptop, it shows [ebp-0xc], instead of [ebp-4]. Based on my understanding, "0xc" as Hex will be 12, so it will be 12 byes? If so, why?
Here is the whole assemble dump on my laptop for this simple program (gdb) disassemble main
Dump of assembler code for function main:
0x00401199 <+0>: lea ecx,[esp+0x4]
0x0040119d <+4>: and esp,0xfffffff0
0x004011a0 <+7>: push DWORD PTR [ecx-0x4]
0x004011a3 <+10>: push ebp
0x004011a4 <+11>: mov ebp,esp
0x004011a6 <+13>: push ebx
0x004011a7 <+14>: push ecx
0x004011a8 <+15>: sub esp,0x10
0x004011ab <+18>: call 0x4010a0 <__x86.get_pc_thunk.bx>
0x004011b0 <+23>: add ebx,0x2e50
=> 0x004011b6 <+29>: mov DWORD PTR [ebp-0xc],0x0
0x004011bd <+36>: jmp 0x4011d5 <main+60>
0x004011bf <+38>: sub esp,0xc
0x004011c2 <+41>: lea eax,[ebx-0x1ff8]
0x004011c8 <+47>: push eax
0x004011c9 <+48>: call 0x401030 <puts@plt>
0x004011ce <+53>: add esp,0x10
0x004011d1 <+56>: add DWORD PTR [ebp-0xc],0x1
0x004011d5 <+60>: cmp DWORD PTR [ebp-0xc],0x9
0x004011d9 <+64>: jle 0x4011bf <main+38>
0x004011db <+66>: mov eax,0x0
0x004011e0 <+71>: lea esp,[ebp-0x8]
0x004011e3 <+74>: pop ecx
0x004011e4 <+75>: pop ebx
0x004011e5 <+76>: pop ebp
0x004011e6 <+77>: lea esp,[ecx-0x4]
0x004011e9 <+80>: ret
End of assembler dump.
回答1:
sub esp,0x10
allocated 16 bytes (four registers worth) of space on the stack for variables and other stuff.
mov DWORD PTR [ebp-0xc],0x0
appears to be the first reference to slot ebp-0xc, and it's being initialized to zero. After looking at cmp DWORD PTR [ebp-0xc],0x9 at main+60 I'm certain this is i = 0 from the initialization section of the for loop.
The compiler can put variables where it will, and while deterministic it changes with patch versions of the compiler.
来源:https://stackoverflow.com/questions/66090921/confused-by-ebp-0xc-instead-of-ebp-4-in-art-of-exploitation-example