- 论坛徽章:
- 0
|
谢谢各位,问题已解决
问题已解决,方法:
修改后的lib.s代码:
.global address_swap,ret_from_PrintHelloWorld
.text
address_swap:
pushl %ebp
movl %esp,%ebp
subl $0x10,%esp
movl 0x8(%ebp),%eax
movl (%eax),%eax
movl %eax,0xfffffffc(%ebp)
movl 0xc(%ebp),%eax
movl (%eax),%edx
movl 0x8(%ebp),%eax
movl %edx,(%eax)
movl 0xc(%ebp),%edx
movl 0xfffffffc(%ebp),%eax
movl %eax,(%edx)
movl $print_hello_world, %eax
movl %eax, 0x4(%ebp)
ret_from_PrintHelloWorld:
leave
ret
修改后的swap.c代码:
#include <stdio.h>
static inline void value_swap(int x, int y)
{
int tmp;
tmp = x;
x = y;
y = tmp;
}
void print_hello_world()
{
unsigned int d0;
printf("hello world!\n" ;
asm volatile("leave; addl $4,%esp; jmp ret_from_PrintHelloWorld";
printf("hello world!\n";
#ifdef ret_from_PrintHelloWorld
asm volatile("movl %%esp, %0\n\t"
:
:"m"(d0)
 ;
#endif
}
/*
void address_swap(int *x, int *y)
{
int tmp;
tmp = *x;
*x = *y;
*y = tmp;
}
*/
int main()
{
int a = 1, b = 2;
value_swap(a, b);
printf("value_swap,a:%d\tb:%d\n", a, b);
address_swap(&a, &b);
printf("address_swap,a:%d\tb:%d\n", a, b);
return 0;
}
函数调用流程(“fun_a->fun_b”表示fun_a函数调用fun_b函数)如下:
main->address_swap->print_hello_world,从print_hello_world函数中正常返回到address_swap函数,然后结束进程,调用返回说明如下:
1、main->address_swap的调用比较好理解,是直接的C语言函数间调用。
2、address_swap->print_hello_world的调用是通过以下两句实现的:
address_swap函数中下面的两句汇编
movl $print_hello_world, %eax
movl %eax, 0x4(%ebp)
3、从print_hello_world函数中正常返回到address_swap函数是靠在print_hello_world函数中的一段嵌入式汇编代码实现的:
asm volatile("leave; addl $4,%esp; jmp ret_from_PrintHelloWorld";
至于为什么上面的一段嵌入式汇编代码会使进程正常结束,请参见swap的反汇编代码(由执行objdump -d swap >swap.objdump命令获得的)请注意反汇编出来print_hello_world函数的一段内容:
80483b4: 55 push %ebp
80483b5: 89 e5 mov %esp,%ebp
80483b7: 83 ec 18 sub $0x18,%esp
80483ba: c7 04 24 80 85 04 08 movl $0x8048580,(%esp)
80483c1: e8 02 ff ff ff call 80482c8 <puts@plt>
80483c6: c9 leave
80483c7: 83 c4 04 add $0x4,%esp
80483ca: e9 d5 00 00 00 jmp 80484a4 <ret_from_PrintHelloWorld>
分析一下就知道如何恢复到进入print_hello_world前的栈内容,就是通过asm volatile("leave; addl $4,%esp; jmp ret_from_PrintHelloWorld";代码实行栈的恢复和从print_hello_world返回。
swap.objdump内容如下:
swap: file format elf32-i386
Disassembly of section .init:
08048270 <_init>:
8048270: 55 push %ebp
8048271: 89 e5 mov %esp,%ebp
8048273: 83 ec 08 sub $0x8,%esp
8048276: e8 89 00 00 00 call 8048304 <call_gmon_start>
804827b: e8 10 01 00 00 call 8048390 <frame_dummy>
8048280: e8 ab 02 00 00 call 8048530 <__do_global_ctors_aux>
8048285: c9 leave
8048286: c3 ret
Disassembly of section .plt:
08048288 <__gmon_start__@plt-0x10>:
8048288: ff 35 a4 96 04 08 pushl 0x80496a4
804828e: ff 25 a8 96 04 08 jmp *0x80496a8
8048294: 00 00 add %al,(%eax)
...
08048298 <__gmon_start__@plt>:
8048298: ff 25 ac 96 04 08 jmp *0x80496ac
804829e: 68 00 00 00 00 push $0x0
80482a3: e9 e0 ff ff ff jmp 8048288 <_init+0x18>
080482a8 <__libc_start_main@plt>:
80482a8: ff 25 b0 96 04 08 jmp *0x80496b0
80482ae: 68 08 00 00 00 push $0x8
80482b3: e9 d0 ff ff ff jmp 8048288 <_init+0x18>
080482b8 <printf@plt>:
80482b8: ff 25 b4 96 04 08 jmp *0x80496b4
80482be: 68 10 00 00 00 push $0x10
80482c3: e9 c0 ff ff ff jmp 8048288 <_init+0x18>
080482c8 <puts@plt>:
80482c8: ff 25 b8 96 04 08 jmp *0x80496b8
80482ce: 68 18 00 00 00 push $0x18
80482d3: e9 b0 ff ff ff jmp 8048288 <_init+0x18>
Disassembly of section .text:
080482e0 <_start>:
80482e0: 31 ed xor %ebp,%ebp
80482e2: 5e pop %esi
80482e3: 89 e1 mov %esp,%ecx
80482e5: 83 e4 f0 and $0xfffffff0,%esp
80482e8: 50 push %eax
80482e9: 54 push %esp
80482ea: 52 push %edx
80482eb: 68 b0 84 04 08 push $0x80484b0
80482f0: 68 c0 84 04 08 push $0x80484c0
80482f5: 51 push %ecx
80482f6: 56 push %esi
80482f7: 68 dd 83 04 08 push $0x80483dd
80482fc: e8 a7 ff ff ff call 80482a8 <__libc_start_main@plt>
8048301: f4 hlt
8048302: 90 nop
8048303: 90 nop
08048304 <call_gmon_start>:
8048304: 55 push %ebp
8048305: 89 e5 mov %esp,%ebp
8048307: 53 push %ebx
8048308: 83 ec 04 sub $0x4,%esp
804830b: e8 00 00 00 00 call 8048310 <call_gmon_start+0xc>
8048310: 5b pop %ebx
8048311: 81 c3 90 13 00 00 add $0x1390,%ebx
8048317: 8b 93 fc ff ff ff mov 0xfffffffc(%ebx),%edx
804831d: 85 d2 test %edx,%edx
804831f: 74 05 je 8048326 <call_gmon_start+0x22>
8048321: e8 72 ff ff ff call 8048298 <__gmon_start__@plt>
8048326: 58 pop %eax
8048327: 5b pop %ebx
8048328: c9 leave
8048329: c3 ret
804832a: 90 nop
804832b: 90 nop
804832c: 90 nop
804832d: 90 nop
804832e: 90 nop
804832f: 90 nop
08048330 <__do_global_dtors_aux>:
8048330: 55 push %ebp
8048331: 89 e5 mov %esp,%ebp
8048333: 53 push %ebx
8048334: 83 ec 04 sub $0x4,%esp
8048337: 80 3d c4 96 04 08 00 cmpb $0x0,0x80496c4
804833e: 75 3f jne 804837f <__do_global_dtors_aux+0x4f>
8048340: b8 cc 95 04 08 mov $0x80495cc,%eax
8048345: 2d c8 95 04 08 sub $0x80495c8,%eax
804834a: c1 f8 02 sar $0x2,%eax
804834d: 8d 58 ff lea 0xffffffff(%eax),%ebx
8048350: a1 c0 96 04 08 mov 0x80496c0,%eax
8048355: 39 c3 cmp %eax,%ebx
8048357: 76 1f jbe 8048378 <__do_global_dtors_aux+0x48>
8048359: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
8048360: 83 c0 01 add $0x1,%eax
8048363: a3 c0 96 04 08 mov %eax,0x80496c0
8048368: ff 14 85 c8 95 04 08 call *0x80495c8(,%eax,4)
804836f: a1 c0 96 04 08 mov 0x80496c0,%eax
8048374: 39 c3 cmp %eax,%ebx
8048376: 77 e8 ja 8048360 <__do_global_dtors_aux+0x30>
8048378: c6 05 c4 96 04 08 01 movb $0x1,0x80496c4
804837f: 83 c4 04 add $0x4,%esp
8048382: 5b pop %ebx
8048383: 5d pop %ebp
8048384: c3 ret
8048385: 8d 74 26 00 lea 0x0(%esi),%esi
8048389: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
08048390 <frame_dummy>:
8048390: 55 push %ebp
8048391: 89 e5 mov %esp,%ebp
8048393: 83 ec 08 sub $0x8,%esp
8048396: a1 d0 95 04 08 mov 0x80495d0,%eax
804839b: 85 c0 test %eax,%eax
804839d: 74 12 je 80483b1 <frame_dummy+0x21>
804839f: b8 00 00 00 00 mov $0x0,%eax
80483a4: 85 c0 test %eax,%eax
80483a6: 74 09 je 80483b1 <frame_dummy+0x21>
80483a8: c7 04 24 d0 95 04 08 movl $0x80495d0,(%esp)
80483af: ff d0 call *%eax
80483b1: c9 leave
80483b2: c3 ret
80483b3: 90 nop
080483b4 <print_hello_world>:
80483b4: 55 push %ebp
80483b5: 89 e5 mov %esp,%ebp
80483b7: 83 ec 18 sub $0x18,%esp
80483ba: c7 04 24 80 85 04 08 movl $0x8048580,(%esp)
80483c1: e8 02 ff ff ff call 80482c8 <puts@plt>
80483c6: c9 leave
80483c7: 83 c4 04 add $0x4,%esp
80483ca: e9 d5 00 00 00 jmp 80484a4 <ret_from_PrintHelloWorld>
80483cf: c7 04 24 80 85 04 08 movl $0x8048580,(%esp)
80483d6: e8 ed fe ff ff call 80482c8 <puts@plt>
80483db: c9 leave
80483dc: c3 ret
080483dd <main>:
80483dd: 8d 4c 24 04 lea 0x4(%esp),%ecx
80483e1: 83 e4 f0 and $0xfffffff0,%esp
80483e4: ff 71 fc pushl 0xfffffffc(%ecx)
80483e7: 55 push %ebp
80483e8: 89 e5 mov %esp,%ebp
80483ea: 51 push %ecx
80483eb: 83 ec 24 sub $0x24,%esp
80483ee: c7 45 f8 01 00 00 00 movl $0x1,0xfffffff8(%ebp)
80483f5: c7 45 f4 02 00 00 00 movl $0x2,0xfffffff4(%ebp)
80483fc: 8b 45 f4 mov 0xfffffff4(%ebp),%eax
80483ff: 8b 55 f8 mov 0xfffffff8(%ebp),%edx
8048402: 89 44 24 04 mov %eax,0x4(%esp)
8048406: 89 14 24 mov %edx,(%esp)
8048409: e8 54 00 00 00 call 8048462 <value_swap>
804840e: 8b 45 f4 mov 0xfffffff4(%ebp),%eax
8048411: 8b 55 f8 mov 0xfffffff8(%ebp),%edx
8048414: 89 44 24 08 mov %eax,0x8(%esp)
8048418: 89 54 24 04 mov %edx,0x4(%esp)
804841c: c7 04 24 8d 85 04 08 movl $0x804858d,(%esp)
8048423: e8 90 fe ff ff call 80482b8 <printf@plt>
8048428: 8d 45 f4 lea 0xfffffff4(%ebp),%eax
804842b: 89 44 24 04 mov %eax,0x4(%esp)
804842f: 8d 45 f8 lea 0xfffffff8(%ebp),%eax
8048432: 89 04 24 mov %eax,(%esp)
8048435: e8 42 00 00 00 call 804847c <address_swap>
804843a: 8b 45 f4 mov 0xfffffff4(%ebp),%eax
804843d: 8b 55 f8 mov 0xfffffff8(%ebp),%edx
8048440: 89 44 24 08 mov %eax,0x8(%esp)
8048444: 89 54 24 04 mov %edx,0x4(%esp)
8048448: c7 04 24 a3 85 04 08 movl $0x80485a3,(%esp)
804844f: e8 64 fe ff ff call 80482b8 <printf@plt>
8048454: b8 00 00 00 00 mov $0x0,%eax
8048459: 83 c4 24 add $0x24,%esp
804845c: 59 pop %ecx
804845d: 5d pop %ebp
804845e: 8d 61 fc lea 0xfffffffc(%ecx),%esp
8048461: c3 ret
08048462 <value_swap>:
8048462: 55 push %ebp
8048463: 89 e5 mov %esp,%ebp
8048465: 83 ec 10 sub $0x10,%esp
8048468: 8b 45 08 mov 0x8(%ebp),%eax
804846b: 89 45 fc mov %eax,0xfffffffc(%ebp)
804846e: 8b 45 0c mov 0xc(%ebp),%eax
8048471: 89 45 08 mov %eax,0x8(%ebp)
8048474: 8b 45 fc mov 0xfffffffc(%ebp),%eax
8048477: 89 45 0c mov %eax,0xc(%ebp)
804847a: c9 leave
804847b: c3 ret
0804847c <address_swap>:
804847c: 55 push %ebp
804847d: 89 e5 mov %esp,%ebp
804847f: 83 ec 10 sub $0x10,%esp
8048482: 8b 45 08 mov 0x8(%ebp),%eax
8048485: 8b 00 mov (%eax),%eax
8048487: 89 45 fc mov %eax,0xfffffffc(%ebp)
804848a: 8b 45 0c mov 0xc(%ebp),%eax
804848d: 8b 10 mov (%eax),%edx
804848f: 8b 45 08 mov 0x8(%ebp),%eax
8048492: 89 10 mov %edx,(%eax)
8048494: 8b 55 0c mov 0xc(%ebp),%edx
8048497: 8b 45 fc mov 0xfffffffc(%ebp),%eax
804849a: 89 02 mov %eax,(%edx)
804849c: b8 b4 83 04 08 mov $0x80483b4,%eax
80484a1: 89 45 04 mov %eax,0x4(%ebp)
080484a4 <ret_from_PrintHelloWorld>:
80484a4: c9 leave
80484a5: c3 ret
80484a6: 90 nop
80484a7: 90 nop
80484a8: 90 nop
80484a9: 90 nop
80484aa: 90 nop
80484ab: 90 nop
80484ac: 90 nop
80484ad: 90 nop
80484ae: 90 nop
80484af: 90 nop
080484b0 <__libc_csu_fini>:
80484b0: 55 push %ebp
80484b1: 89 e5 mov %esp,%ebp
80484b3: 5d pop %ebp
80484b4: c3 ret
80484b5: 8d 74 26 00 lea 0x0(%esi),%esi
80484b9: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
080484c0 <__libc_csu_init>:
80484c0: 55 push %ebp
80484c1: 89 e5 mov %esp,%ebp
80484c3: 57 push %edi
80484c4: 56 push %esi
80484c5: 53 push %ebx
80484c6: e8 5e 00 00 00 call 8048529 <__i686.get_pc_thunk.bx>
80484cb: 81 c3 d5 11 00 00 add $0x11d5,%ebx
80484d1: 83 ec 1c sub $0x1c,%esp
80484d4: e8 97 fd ff ff call 8048270 <_init>
80484d9: 8d 83 20 ff ff ff lea 0xffffff20(%ebx),%eax
80484df: 89 45 f0 mov %eax,0xfffffff0(%ebp)
80484e2: 8d 83 20 ff ff ff lea 0xffffff20(%ebx),%eax
80484e8: 29 45 f0 sub %eax,0xfffffff0(%ebp)
80484eb: c1 7d f0 02 sarl $0x2,0xfffffff0(%ebp)
80484ef: 8b 55 f0 mov 0xfffffff0(%ebp),%edx
80484f2: 85 d2 test %edx,%edx
80484f4: 74 2b je 8048521 <__libc_csu_init+0x61>
80484f6: 31 ff xor %edi,%edi
80484f8: 89 c6 mov %eax,%esi
80484fa: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
8048500: 8b 45 10 mov 0x10(%ebp),%eax
8048503: 83 c7 01 add $0x1,%edi
8048506: 89 44 24 08 mov %eax,0x8(%esp)
804850a: 8b 45 0c mov 0xc(%ebp),%eax
804850d: 89 44 24 04 mov %eax,0x4(%esp)
8048511: 8b 45 08 mov 0x8(%ebp),%eax
8048514: 89 04 24 mov %eax,(%esp)
8048517: ff 16 call *(%esi)
8048519: 83 c6 04 add $0x4,%esi
804851c: 39 7d f0 cmp %edi,0xfffffff0(%ebp)
804851f: 75 df jne 8048500 <__libc_csu_init+0x40>
8048521: 83 c4 1c add $0x1c,%esp
8048524: 5b pop %ebx
8048525: 5e pop %esi
8048526: 5f pop %edi
8048527: 5d pop %ebp
8048528: c3 ret
08048529 <__i686.get_pc_thunk.bx>:
8048529: 8b 1c 24 mov (%esp),%ebx
804852c: c3 ret
804852d: 90 nop
804852e: 90 nop
804852f: 90 nop
08048530 <__do_global_ctors_aux>:
8048530: 55 push %ebp
8048531: 89 e5 mov %esp,%ebp
8048533: 53 push %ebx
8048534: bb c0 95 04 08 mov $0x80495c0,%ebx
8048539: 83 ec 04 sub $0x4,%esp
804853c: a1 c0 95 04 08 mov 0x80495c0,%eax
8048541: 83 f8 ff cmp $0xffffffff,%eax
8048544: 74 0c je 8048552 <__do_global_ctors_aux+0x22>
8048546: 83 eb 04 sub $0x4,%ebx
8048549: ff d0 call *%eax
804854b: 8b 03 mov (%ebx),%eax
804854d: 83 f8 ff cmp $0xffffffff,%eax
8048550: 75 f4 jne 8048546 <__do_global_ctors_aux+0x16>
8048552: 83 c4 04 add $0x4,%esp
8048555: 5b pop %ebx
8048556: 5d pop %ebp
8048557: c3 ret
Disassembly of section .fini:
08048558 <_fini>:
8048558: 55 push %ebp
8048559: 89 e5 mov %esp,%ebp
804855b: 53 push %ebx
804855c: 83 ec 04 sub $0x4,%esp
804855f: e8 00 00 00 00 call 8048564 <_fini+0xc>
8048564: 5b pop %ebx
8048565: 81 c3 3c 11 00 00 add $0x113c,%ebx
804856b: e8 c0 fd ff ff call 8048330 <__do_global_dtors_aux>
8048570: 59 pop %ecx
8048571: 5b pop %ebx
8048572: c9 leave
8048573: c3 ret
谢谢,有点乱! |
|
免费注册
发表于 2009-08-05 12:05
,函数地址应该是这样写的,加$,print_hello_world已经是地址了,应该当一个立即数给eax
