bufbomb-白红宇

bufbomb

阅读量：6495 次

发布时间：2019-06-24

本文共 7551 字，大约阅读时间需要 25 分钟。

(gdb) disasDump of assembler code for function getbuf:   0x0000000000400da0 <+0>:    push   %rbp   0x0000000000400da1 <+1>:    mov    %rsp,%rbp   0x0000000000400da4 <+4>:    sub    $0x30,%rsp   0x0000000000400da8 <+8>:    lea    -0x30(%rbp),%rdi=> 0x0000000000400dac <+12>:    callq  0x400cb0 
     
         0x0000000000400db1 <+17>:    movabs $0xcccccccccccccccd,%rdx   0x0000000000400dbb <+27>:    mov    %rax,%rcx   0x0000000000400dbe <+30>:    mul    %rdx   0x0000000000400dc1 <+33>:    shr    $0x5,%rdx   0x0000000000400dc5 <+37>:    lea    (%rdx,%rdx,4),%rax   0x0000000000400dc9 <+41>:    mov    %rcx,%rdx   0x0000000000400dcc <+44>:    shl    $0x3,%rax   0x0000000000400dd0 <+48>:    sub    %rax,%rdx   0x0000000000400dd3 <+51>:    mov    $0x24,%eax   0x0000000000400dd8 <+56>:    cmp    $0x24,%rdx   0x0000000000400ddc <+60>:    cmovae %rdx,%rax   0x0000000000400de0 <+64>:    xor    %ecx,%ecx   0x0000000000400de2 <+66>:    add    $0x1e,%rax   0x0000000000400de6 <+70>:    and    $0xfffffffffffffff0,%rax   0x0000000000400dea <+74>:    sub    %rax,%rsp   0x0000000000400ded <+77>:    lea    0xf(%rsp),%r8   0x0000000000400df2 <+82>:    and    $0xfffffffffffffff0,%r8   0x0000000000400df6 <+86>:    nopw   %cs:0x0(%rax,%rax,1)   0x0000000000400e00 <+96>:    movzbl -0x30(%rbp,%rcx,1),%edi   0x0000000000400e05 <+101>:    lea    (%r8,%rcx,1),%rsi   0x0000000000400e09 <+105>:    add    $0x1,%rcx   0x0000000000400e0d <+109>:    cmp    $0x24,%rcx   0x0000000000400e11 <+113>:    mov    %dil,(%rsi)   0x0000000000400e14 <+116>:    jne    0x400e00 
      
          0x0000000000400e16 <+118>:    mov    %rdx,%rax   0x0000000000400e19 <+121>:    leaveq ---Type 
       
         to continue, or q 
        
          to quit---   0x0000000000400e1a <+122>:    retq   End of assembler dump.(gdb) i fStack level 0, frame at 0x7fffffffb3e0: rip = 0x400dac in getbuf (bufbomb.c:136); saved rip 0x400ef3 called by frame at 0x7fffffffb410 source language c. Arglist at 0x7fffffffb3d0, args:  Locals at 0x7fffffffb3d0, Previous frame's sp is 0x7fffffffb3e0 Saved registers:  rbp at 0x7fffffffb3d0, rip at 0x7fffffffb3d8(gdb) i rrax            0x0    0rbx            0x47982bd9    1201155033rcx            0xdeadbeef    3735928559rdx            0x7ffff7dd8e10    140737351880208rsi            0x401344    4199236rdi            0x7fffffffb3a0    140737488335776rbp            0x7fffffffb3d0    0x7fffffffb3d0rsp            0x7fffffffb3a0    0x7fffffffb3a0r8             0x7ffff7ff700d    140737354100749r9             0xc0000    786432r10            0x0    0r11            0x7ffff7ad6d32    140737348726066r12            0x607f80    6324096r13            0x7fffffffe360    140737488348000r14            0x0    0r15            0x0    0rip            0x400dac    0x400dac 
         
          eflags         0x206    [ PF IF ]cs             0x33    51ss             0x2b    43ds             0x0    0es             0x0    0fs             0x0    0gs             0x0    0(gdb) x /64x 0x7fffffffb3a00x7fffffffb3a0:    0xffffe260    0x00007fff    0x00607f80    0x000000000x7fffffffb3b0:    0xffffe360    0x00007fff    0xf7df0a55    0x00007fff0x7fffffffb3c0:    0x00002e10    0x00000000    0xf7afe947    0x00007fff0x7fffffffb3d0:    0xffffb400    0x00007fff    0x00400ef3    0x000000000x7fffffffb3e0:    0xffffb410    0x00007fff    0xdeadbeef    0x000000000x7fffffffb3f0:    0xf7dd70e0    0x00007fff    0x47982bd9    0x000000000x7fffffffb400:    0xffffe260    0x00007fff    0x00400fdd    0x000000000x7fffffffb410:    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f40x7fffffffb420:    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f40x7fffffffb430:    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f40x7fffffffb440:    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f40x7fffffffb450:    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f40x7fffffffb460:    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f40x7fffffffb470:    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f40x7fffffffb480:    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f40x7fffffffb490:    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f4(gdb) x /64x 0x7fffffffb3a00x7fffffffb3a0:    0xaaaaaaaa    0xaaaaaaaa    0xaaaaaaaa    0xaaaaaaaa0x7fffffffb3b0:    0xaaaaaaaa    0xaaaaaaaa    0xaaaaaaaa    0xaaaaaaaa0x7fffffffb3c0:    0xaaaaaaaa    0xaaaaaaaa    0xaaaaaaaa    0xaaaaaaaa0x7fffffffb3d0:    0xaaaaaaaa    0xaaaaaaaa    0xc0010400    0x000000000x7fffffffb3e0:    0xffffb410    0x00007fff    0xdeadbeef    0x000000000x7fffffffb3f0:    0xf7dd70e0    0x00007fff    0x47982bd9    0x000000000x7fffffffb400:    0xffffe260    0x00007fff    0x00400fdd    0x000000000x7fffffffb410:    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f40x7fffffffb420:    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f40x7fffffffb430:    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f40x7fffffffb440:    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f40x7fffffffb450:    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f40x7fffffffb460:    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f40x7fffffffb470:    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f40x7fffffffb480:    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f40x7fffffffb490:    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f4

1 (gdb) c 2 Continuing. 3 Type string: Misfire: You called fizz(0xdeadbe00) 4 [Inferior 1 (process 27846) exited normally] 5  6 (gdb) x /24x 0x7fffffffb3d0  7 0x7fffffffb3d0:    0xaaaaaaaa    0xaaaaaaaa    0x00401070    0x00000000 8 0x7fffffffb3e0:    0xaaaaaaaa    0xaaaaaaaa    0xdeadbe00    0x00000000 9 0x7fffffffb3f0:    0xf7dd70e0    0x00007fff    0x47982bd9    0x0000000010 0x7fffffffb400:    0xffffe260    0x00007fff    0x00400fdd    0x0000000011 0x7fffffffb410:    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f412 0x7fffffffb420:    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f4

(gdb) cContinuing.Type string: Misfire: global_value = 0x0[Inferior 1 (process 28731) exited normally](gdb) i fStack level 0, frame at 0x7fffffffb3e0: rip = 0x400dac in getbuf (bufbomb.c:136); saved rip 0x400ef3 called by frame at 0x7fffffffb410 source language c. Arglist at 0x7fffffffb3d0, args:  Locals at 0x7fffffffb3d0, Previous frame's sp is 0x7fffffffb3e0 Saved registers:  rbp at 0x7fffffffb3d0, rip at 0x7fffffffb3d8(gdb) x /64x 0x7fffffffb3d00x7fffffffb3d0:    0xffffb400    0x00007fff    0x00400ef3    0x000000000x7fffffffb3e0:    0xffffb410    0x00007fff    0xdeadbeef    0x000000000x7fffffffb3f0:    0xf7dd70e0    0x00007fff    0x47982bd9    0x000000000x7fffffffb400:    0xffffe260    0x00007fff    0x00400fdd    0x000000000x7fffffffb410:    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f40x7fffffffb420:    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f40x7fffffffb430:    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f40x7fffffffb440:    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f40x7fffffffb450:    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f40x7fffffffb460:    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f40x7fffffffb470:    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f40x7fffffffb480:    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f40x7fffffffb490:    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f40x7fffffffb4a0:    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f40x7fffffffb4b0:    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f40x7fffffffb4c0:    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f4    0xf4f4f4f4

转载于:https://www.cnblogs.com/been/p/3901614.html

你可能感兴趣的文章

CentOS5.6下安装Oracle10G软件【保留报错经验】

添加Net4CollectionTypeFactory的原因

查看>>

VS2010中“工具>选项中的VC++目录编辑功能已被否决”解决方法

查看>>