IT博客-淡泊明志、宁静致远-随笔分类-汇编艺术http://www.cnitblog.com/houcy/category/6992.htmlA Diamond is just a piece of Coal that did well under Pressure.zh-cnSat, 16 Mar 2013 18:18:33 GMTSat, 16 Mar 2013 18:18:33 GMT60反汇编心得http://www.cnitblog.com/houcy/archive/2013/03/16/87075.html挑灯看剑挑灯看剑Sat, 16 Mar 2013 07:09:00 GMThttp://www.cnitblog.com/houcy/archive/2013/03/16/87075.htmlhttp://www.cnitblog.com/houcy/comments/87075.htmlhttp://www.cnitblog.com/houcy/archive/2013/03/16/87075.html#Feedback0http://www.cnitblog.com/houcy/comments/commentRss/87075.htmlhttp://www.cnitblog.com/houcy/services/trackbacks/87075.html
下面是函数调用时callee要做的事情(被调用者负责平衡堆栈: 分配和释放栈空间),所有的函数本质上都是callee,由别的函数调用指行,包括main函数:

1. 保存旧的帧指针(把新的栈帧链接到栈帧链表中)
其实栈被分成一个个连续的栈帧(由于函数调用的原因),这些栈帧就像链表一样被EBP链接了起来,每次被调用函数callee要做的第一件事情就是把新的栈帧链接到原来的栈帧链表上,即汇编代码:
 push ebp
把EBP的值压栈,而EBP恰是caller函数的帧指针,这就相当于挂接到栈帧链表上。

2. 建立新的帧指针
 mov  ebp , esp

3. 分配新的栈空间
sub esp , 0xC0h

4. 把寄存器压栈
push ebx
push esi
push edi

5. 初始化栈空间
初始化栈空间为0xCCh,0xCCh是汇编指令int 3的二进制码,便于中断纠错。
lea edi , [ebp - 0xC0h]
mov ecx , 30h  ;长度,30h * 4 = 0xC0h
mov eax , 0xCCCCCCCCh
rep stosd

6. 执行函数的算法代码

7. 平衡堆栈:弹出保存的寄存器,恢复栈空间,恢复被保存的EBP,即从栈帧链表中删除callee的栈帧。
pop edi
pop esi
pop ebx
mov esp , ebp ;恢复栈空间,重置栈顶esp, 此时esp = ebp = 旧的ebp
pop ebp ;恢复旧的EBP,即把新的栈帧从栈帧链表中删除了,此时esp指向被保存的函数返回地址,即call之后的地址
retn  ; 函数返回,此指令相当于pop eip,把esp指向的函数返回地址赋值给EIP

栈帧结构图:




挑灯看剑 2013-03-16 15:09 发表评论
]]>Registers in x86 architecturehttp://www.cnitblog.com/houcy/archive/2008/05/05/43378.html挑灯看剑挑灯看剑Mon, 05 May 2008 09:14:00 GMThttp://www.cnitblog.com/houcy/archive/2008/05/05/43378.htmlhttp://www.cnitblog.com/houcy/comments/43378.htmlhttp://www.cnitblog.com/houcy/archive/2008/05/05/43378.html#Feedback0http://www.cnitblog.com/houcy/comments/commentRss/43378.htmlhttp://www.cnitblog.com/houcy/services/trackbacks/43378.html
   The x86 architecture is a Complex Instruction Set Computing(CISC) architecture. Instructions are variable length,depending on their function.Three kinds of registers exist in the Pentuim class x86 architecture: general pupose,segment,and status/control. The basic user set is as follows:
* EAX:  General purpose accumulator
* EBX:  Pointer to data
* ECX:  Counter for loop operations
* EDX:  I/O pointer
* ESI:   Pointer to data in DS segment
* EDI:   Ponter to data in ES segment
* ESP:   Stack pointer
* EBP:  Pointer to data on the stack
   These six segment registers are used in real mode addressing where memory is accessed in blocks.A given byte of memory is then referenced by an offset from this segment(for example,ES:EDI references memory in the ES with an offset of the value in EDI):
* CS:  Code segment
* SS:  Stack segment
* ES,DS,FS,GS: Data segment
   The EFLAGS register indicates processor status after each intruction. This can hold results such as zero,overflow,or carry.The EIP is a dedicated pointer register that indicates an offset to the current instruction to the processor.This is generally used with the code segment register to form a complete address(for example, CS:EIP):
EFLAGS: Status,control,and system flags
EIP: The instruction pointer, contains an offset from CS



挑灯看剑 2008-05-05 17:14 发表评论
]]>Smashing The Stack For Fun And Profithttp://www.cnitblog.com/houcy/archive/2008/04/27/42819.html挑灯看剑挑灯看剑Sun, 27 Apr 2008 05:36:00 GMThttp://www.cnitblog.com/houcy/archive/2008/04/27/42819.htmlhttp://www.cnitblog.com/houcy/comments/42819.htmlhttp://www.cnitblog.com/houcy/archive/2008/04/27/42819.html#Feedback0http://www.cnitblog.com/houcy/comments/commentRss/42819.htmlhttp://www.cnitblog.com/houcy/services/trackbacks/42819.html阅读全文

挑灯看剑 2008-04-27 13:36 发表评论
]]>