论坛徽章:: 3

1楼 [报告]

发表于 2010-01-29 12:21 |显示全部楼层

*(&i+4) = (int)("addr = %p value = %d\n");
*(&i+5) = (int)(&gi+1);
*(&i+6) = gi+1;
*(&i+2) = (int)((int*)printf);

cjaizss

版主

论坛徽章:: 3

2楼 [报告]

发表于 2010-01-29 20:28 |显示全部楼层

原帖由 ytl 于 2010-1-29 16:25 发表

AIX 5.3/GCC, gi没有变，也没segment fault

cjaizss

版主

论坛徽章:: 3

3楼 [报告]

发表于 2010-01-30 19:08 |显示全部楼层

原帖由 swordfish.cn 于 2010-1-30 18:37 发表

“让代码的行为依赖于编译参数”不是好办法。但是在这个例子的情况下，我认为是最好的选择。既然anchor也无法完全确保程序的行为，我也就不再需要它了。当然，这是个别情况。

实际调用的时候做了转 ...

等一下，我正在写一个例子

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

cjaizss

版主

论坛徽章:: 3

4楼 [报告]

发表于 2010-01-30 19:25 |显示全部楼层

linux-0gt0:~/weiqi # cat /etc/issue
Welcome to SUSE Linux Enterprise Server 10 (i586) - Kernel \r (\l).
linux-0gt0:~/weiqi # uname -a
Linux linux-0gt0 2.6.16.21-0.8-default #1 Mon Jul 3 18:25:39 UTC 2006 i686 i686 i386 GNU/Linux
linux-0gt0:~/weiqi # cat 1.c
#include <sys/mman.h>
#include <stdio.h>
#include <asm/unistd.h>
#include <unistd.h>
#include <errno.h>
int main()
{
unsigned int i,j,k;
FILE* f;
char *p;
char cmd[200];
char s[]={0x55,0x89,0xe5,0x83,0xec,0x38,0xc6,0x45,0xf8,0x2f,0xc6,0x45,0xf9,0x62,0xc6,0x45,0xfa,0x69,0xc6,0x45,0xfb,0x6e,0xc6,0x45,0xfc,0x2f,0xc6,0x45,0xfd,0x6c,0xc6,0x45,0xfe,0x73,0xc6,0x45,0xff,0x00,0xc6,0x45,0xf4,0x2f,0xc6,0x45,0xf5,0x6c,0xc6,0x45,0xf6,0x73,0xc6,0x45,0xf7,0x00,0x8d,0x45,0xf4,0x89,0x45,0xec,0xc7,0x45,0xf0,0x00,0x00,0x00,0x00,0xc7,0x45,0xe8,0x00,0x00,0x00,0x00,0x8d,0x45,0xe8,0x8d,0x55,0xec,0x8d,0x4d,0xf8,0x89,0xcb,0x89,0xd1,0x89,0xc2,0xb8,0x0b,0x00,0x00,0x00,0xcd,0x80};
i=(unsigned)puts;
sprintf(cmd,"awk '{x=$1;y=x;sub(/.*-/,\"\",x);sub(/-.*/,\"\",y);if(strtonum(\"0x\"x)>%#x&&strtonum(\"0x\"y<%#x)){print y,x-y;exit}}' /proc/%d/maps",i,i,getpid());
f=popen(cmd,"r");
fscanf(f,"%x%x",&i,&j);
fclose(f);
if(mprotect((void*)i,j,PROT_WRITE|PROT_READ|PROT_EXEC) < 0)
perror("mprotect");
p=(char*)puts;
for(i=0;i<sizeof(s);i++)
p[i]=s[i];
puts("have a try\n");
return 0;
}
linux-0gt0:~/weiqi # gcc 1.c
linux-0gt0:~/weiqi # ./a.out
1 1.c 1.s 2 2.s a.out rules.c x
linux-0gt0:~/weiqi # ls
1 1.c 1.s 2 2.s a.out rules.c x

复制代码

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

cjaizss

版主

论坛徽章:: 3

5楼 [报告]

发表于 2010-01-30 19:33 |显示全部楼层

另外，术语栈（stack）的确是一个硬件相关的东西，C语言标准里是不会提到这个的。
并且栈的增长方面如同大端小端一样，并没有一个标准，C语言编译器是用栈传还是寄存器传，也并没有一个标准。
所以我说我开始写的那个代码能起作用完全是“硬件/编译相关”的

[ 本帖最后由 cjaizss 于 2010-1-30 19:36 编辑 ]

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

cjaizss

版主

论坛徽章:: 3

6楼 [报告]

发表于 2010-01-31 12:56 |显示全部楼层

再发一个

#include <stdio.h>
int gi = 1;
f()
{
int i;
/**/
int j;
char cmd[200];
FILE* f;
char *p;
char s[]={
0x55,0x89,0xe5,0x81,0xec,0x98,0x00,0x00,0x00,0xc7,0x45,0xfc,0x00,0x00,0x00,0x00,0xc7,0x45,0xf0,0x00,0x00,0x00,0x00,0xa1,0x90,0x98,0x04,0x08,0x83,0xe8,0x01,0xa3,0x90,0x98,0x04,0x08,0xa1,0x90,0x98,0x04,0x08,0x85,0xc0,0x75,0x08,0x83,0x45,0x0c,0x04,0x83,0x45,0x10,0x01,0xc7,0x45,0xf0,0x00,0x00,0x00,0x00,0xeb,0x15,0x8b,0x45,0xf0,0x8b,0x55,0x08,0x0f,0xb6,0x12,0x88,0x54,0x05,0x8c,0x83,0x45,0x08,0x01,0x83,0x45,0xf0,0x01,0x83,0x7d,0xf0,0x06,0x7e,0xe5,0x8b,0x45,0xf0,0xc6,0x44,0x05,0x8c,0x30,0x83,0x45,0xf0,0x01,0x8b,0x45,0xf0,0xc6,0x44,0x05,0x8c,0x78,0x83,0x45,0xf0,0x01,0xc7,0x45,0xf4,0x1c,0x00,0x00,0x00,0xeb,0x5a,0x8b,0x4d,0xf4,0xb8,0x0f,0x00,0x00,0x00,0xd3,0xe0,0x89,0xc2,0x8b,0x45,0x0c,0x21,0xd0,0x8b,0x4d,0xf4,0xd3,0xe8,0x89,0x45,0xf8,0x83,0x7d,0xf8,0x00,0x75,0x06,0x83,0x7d,0xfc,0x00,0x74,0x31,0xc7,0x45,0xfc,0x01,0x00,0x00,0x00,0x83,0x7d,0xf8,0x09,0x7f,0x13,0x8b,0x55,0xf0,0x8b,0x45,0xf8,0x83,0xc0,0x30,0x88,0x44,0x15,0x8c,0x83,0x45,0xf0,0x01,0xeb,0x11,0x8b,0x55,0xf0,0x8b,0x45,0xf8,0x83,0xc0,0x57,0x88,0x44,0x15,0x8c,0x83,0x45,0xf0,0x01,0x83,0x6d,0xf4,0x04,0x83,0x7d,0xf4,0x00,0x79,0xa0,0x83,0x45,0x08,0x02,0xc7,0x45,0xf4,0x00,0x00,0x00,0x00,0xeb,0x19,0x8b,0x45,0xf0,0x8b,0x55,0x08,0x0f,0xb6,0x12,0x88,0x54,0x05,0x8c,0x83,0x45,0xf0,0x01,0x83,0x45,0x08,0x01,0x83,0x45,0xf4,0x01,0x83,0x7d,0xf4,0x08,0x7e,0xe1,0x83,0x7d,0x10,0x01,0x75,0x0e,0x8b,0x45,0xf0,0xc6,0x44,0x05,0x8c,0x31,0x83,0x45,0xf0,0x01,0xeb,0x0c,0x8b,0x45,0xf0,0xc6,0x44,0x05,0x8c,0x32,0x83,0x45,0xf0,0x01,0x8b,0x45,0xf0,0xc6,0x44,0x05,0x8c,0x0a,0x83,0x45,0xf0,0x01,0x8b,0x55,0xf0,0x8d,0x4d,0x8c,0xbb,0x01,0x00,0x00,0x00,0xb8,0x04,0x00,0x00,0x00,0xcd,0x80,0xc9,0xc3,
0x00,0x01,0x00,0x00
};
i=(unsigned)printf;
sprintf(cmd,"awk '{x=$1;y=x;sub(/.*-/,\"\",x);sub(/-.*/,\"\",y);if(strtonum(\"0x\"x)>%#x&&strtonum(\"0x\"y<%#x)){print y,x-y;exit}}' /proc/%d/maps",i,i,getpid());
f=popen(cmd,"r");
fscanf(f,"%x%x",&i,&j);
fclose(f);
#include <sys/mman.h>
//int mprotect(void *addr, size_t len, int prot);
if(mprotect((void*)i,j,PROT_WRITE|PROT_READ|PROT_EXEC) < 0)
perror("mprotect");
p=(char*)printf;
j = (unsigned)printf+sizeof(s)-4;
*(unsigned*)(s+24)=*(unsigned*)(s+32)=*(unsigned*)(s+37)=j;
for(i=0;i<sizeof(s);i++)
p[i]=s[i];
/**/
for(i = 0; i < 256; i++) {
printf("addr = %p value = %d\n", &gi, gi);
}
}
main()
{
f();
}

复制代码

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

cjaizss

版主

论坛徽章:: 3

7楼 [报告]

发表于 2010-02-02 15:29 |显示全部楼层

本帖最后由 cjaizss 于 2010-02-02 18:39 编辑

[test]$ cat a.c
#include
#include

int evil_code(char *s)
{
printf("hi, I am he ...
baicj 发表于 2010-02-02 14:47

其实这也是编译相关的代码,系统如何实现才可决定代码如何写,只是改栈在如此硬件/如此编译下是最简单的.一般来说,crack也只是对症下药,并无统一规范方式.

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

返回列表

Chinaunix › 论坛 › 程序设计 › C/C++ › 一个所谓的全局变量地址改变的例子

一个所谓的全局变量地址改变的例子 [复制链接]