全部博文(51)
分类: LINUX
2021-09-04 22:12:58
|
Register |
Purpose |
|
%rax |
temp register; return value |
|
%rbx |
callee-saved |
|
%rcx |
used to pass 4th argument to functions |
|
%rdx |
used to pass 3rd argument to functions |
|
%rsp |
stack pointer |
|
%rbp |
callee-saved; base pointer |
|
%rsi |
used to pass 2nd argument to functions |
|
%rdi |
used to pass 1st argument to functions |
|
%r8 |
used to pass 5th argument to functions |
|
%r9 |
used to pass 6th argument to functions |
|
%r10-r11 |
temporary |
|
%r12-r15 |
callee-saved registers |
来看一个栗子????吧,
|
#include
#include
int trampoline_test(void);
int fun_a(int i, char *pchar) {
if (i == 5) goto next;
printf("pchar is:%s\n", pchar); return 0;
next: printf("j is %d\n", i);
return 1; }
int main() { char test[] = "Hellow"; int i = 0;
i = trampoline_test(); i = 200; i += 8;
printf("i==%d\n",i); fun_a(1, (char *)&test);
return 0; } |
0000000100003e60 <_fun_a>: // 在 entry fun_a之前,返回地址已经push到stack了 100003e60: 55 pushq %rbp // 保存前一个栈帧的%rbp值; 100003e61: 48 89 e5 movq %rsp, %rbp // 为当前栈帧 更新%rbp 100003e64: 48 83 ec 10 subq $16, %rsp // 为本地变量预留栈空间 100003e68: 89 7d f8 movl %edi, -8(%rbp) 100003e6b: 48 89 75 f0 movq %rsi, -16(%rbp) 100003e6f: 83 7d f8 05 cmpl $5, -8(%rbp) 100003e73: 0f 85 05 00 00 00 jne 0x100003e7e <_fun_a+0x1e> 100003e79: e9 1e 00 00 00 jmp 0x100003e9c <_fun_a+0x3c> 100003e7e: 48 8b 75 f0 movq -16(%rbp), %rsi
100003e82: 48 8d 3d f5 00 00 00 leaq 245(%rip), %rdi # 100003f7e 100003e89: b0 00 movb $0, %al
100003e8b: e8 cc 00 00 00 callq 0x100003f5c 100003e90: c7 45 fc 00 00 00 00 movl $0, -4(%rbp) 100003e97: e9 18 00 00 00 jmp 0x100003eb4 <_fun_a+0x54> 100003e9c: 8b 75 f8 movl -8(%rbp), %esi
100003e9f: 48 8d 3d e5 00 00 00 leaq 229(%rip), %rdi # 100003f8b 100003ea6: b0 00 movb $0, %al
100003ea8: e8 af 00 00 00 callq 0x100003f5c 100003ead: c7 45 fc 01 00 00 00 movl $1, -4(%rbp) 100003eb4: 8b 45 fc movl -4(%rbp), %eax 100003eb7: 48 83 c4 10 addq $16, %rsp // 回收栈空间 100003ebb: 5d popq %rbp // 恢复previous 栈帧 %rbp值 100003ebc: c3 retq // “return address”出栈,更新%rip 100003ebd: 0f 1f 00 nopl (%rax) |
|
cat stack_frame.S #include #include #include .text .global _trampoline_test _trampoline_test: pushq %rbp movq %rsp, %rbp subq $8, %rsp addq $8, %rsp popq %rbp // pop %rbp后,此时 %rsp指向了“return address” addq $13, (%rsp) // 等价于: %rsp += 13,跳过13个字节的指令 movl $2, %eax // 返回值为2 retq |
|
100003ef3: e8 4c 00 00 00 callq 0x100003f44 <_trampoline_test> 100003ef8: 89 45 f0 movl %eax, -16(%rbp) 100003efb: c7 45 f0 c8 00 00 00 movl $200, -16(%rbp) 100003f02: 8b 45 f0 movl -16(%rbp), %eax 100003f05: 83 c0 08 addl $8, %eax // trampoline_test返回值为2,2+8=10 100003f08: 89 45 f0 movl %eax, -16(%rbp) 100003f0b: 8b 75 f0 movl -16(%rbp), %esi
100003f0e: 48 8d 3d 86 00 00 00 leaq 134(%rip), %rdi # 100003f9b 100003f15: b0 00 movb $0, %al
100003f17: e8 40 00 00 00 callq 0x100003f5c 100003f1c: 48 8d 7d f5 leaq -11(%rbp), %rdi |
|
$ as -o stack_frame.o stack_frame.S $ gcc -c -o jump_test.o jump_test.c
$ gcc jump_test.o stack_frame.o -o jump_test |
