問題描述
反彙編代碼中的數組聲明 (Declaration of an array in disassembled code)
我嘗試拆卸 ropasaurusrex。這是 CTF 的問題。您可以從以下鏈接下載可執行文件。我使用 Hopper 進行拆卸。這裡
上圖是本程序的主程序
請看上圖紅線。
p>數組的聲明好像在這裡。
lea eax, dword [ss: ebp+var_88] =====> char buffer[128];
為什麼?128bytes看不懂?
參考解法
方法 1:
In general, there is no direct correspondence between individual assembly instructions and C constructs. A single instruction may be just a single "brick" from a larger construct. If optimisations are turned on, tracing things this way becomes even harder.
Considering the first routine, here is an instruction‑by‑instruction walkthrough:
push ebp
saves the old "stack base pointer" on the stack, so that it can restored after leaving the function and the caller can be confident that it hasn't changed;mov ebp, esp
loads the value of the "base pointer" with the current value of the "stack pointer". Any further references to variables within the stack frame of that function can be made relative to this newly assigned base pointer;sub esp, 0x98
subtracts the value152
from the stack pointer. This effectively "allocates" space on the stack. Any variables with automatic storage can be now accommodated between the addresses pointed to byebp
andesp
. This probably includes yourbuffer
array.mov dword[ss:esp + 8], 0x100
puts the value256
at the address pointed to byesp + 8
. That might correspond to an assignment to an automatic variable/array.lea eax, dword[ss:ebp + var_88]
computes an address that is the result of the base pointer plus some constant offset, and stores it intoeax
. This probably corresponds to a pointer to the beginning of the automatic array.eax
is then moved to the stack as an argument to the following call toj_read
.0
is also passed as the first argument. The function is then called, the leave instruction restores the old base pointer and the control is returned to the caller via theret
instruction.
(by stackosiete、Blagovest Buyukliev)