rmmovl 动态位数
rmmovl dynamic number of bits
我知道rmmovl可以按如下方式使用:
rmmovl %ecx, 4(%edx)
但是我如何动态设置向下移动堆栈的位数(在本例中为 4)?我已经尝试使用我想要转移到的值设置一个变量,例如 rmmovl %ecx, %edi(%edx),但这不起作用。
您必须手动设置 %edx 以包含偏移量。我们可以将 %edx 的值保存在栈上,然后再恢复,所以它的原始值不受影响。
pushl %edx # save current value of %edx
addl %edi, %edx # add %edi to %edx
rmmovl %ecx, (%edx) # store value of %ecx into %edx with offset %edi
popl %edx # restore old %edx
我不确定我是否完全理解这个问题。如果您只是在寻找一种执行可变偏移量的方法,Analytica 的答案是非常正确的(顺便说一句,原则上,您可以即时破解 Y86 代码,在进行过程中构建偏移量,因为 Y86 没有覆盖保护,不区分数据和程序。)
但是,您写“...设置要向下移动堆栈的位数(在本例中为 4)?”除非这只是一个打字错误,否则您问的是一个更广泛的问题(顺便说一句,不建议手动操作堆栈。)为了完整起见,我提供了两个程序来解决您的问题。
第一个程序,程序 1,演示变量偏移量。第二个程序,程序 2,演示了通过变量偏移量进行堆栈操作。它应该是不言自明的。
.pos 0x0100
stack:
.pos 0x00a0
rangestart: .long 0xAAAAAAAA
.long 0xBBBBBBBB
.long 0xCCCCCCCC # Target for substitution in Program 1
.long 0xDDDDDDDD
rangeend:
.pos 0x0000
#
# Program 1
#
# Simple program showing how we can "improvise" variable offset in rmmovl
# Our goal is to replace 0xCCCCCCCC with 0xFFFFFFFF in the range from
# .. rangestart to rangeend and preserving whatever temporary register
# .... we use for the offset
#
Program1: irmovl stack, %esp # Set stack pointer
irmovl 0xFFFFFFFF, %ecx # Stuff we can easily recognize
irmovl rangeend, %edx # Target area that we will negatively offset from
irmovl $-8, %edi # Set offset value -8
pushl %edx # Save current value of %edx
addl %edi, %edx # Add offset to %edx
rmmovl %ecx, (%edx) # Store value of %ecx into %edx with offset
popl %edx # Restore old %edx
jmp Program2
#
# Program 2
#
# Simple program showing how we can manipulate the stack using offsets
# Manipulating the stack is NOT recommended.
# Our goal is to push some easily recognizable stuff on the stack
# ... and change it afterwards
#
Program2:
pushl %edx # Save current value of %edx
pushl %edx # .. and %eax
irmovl 0xFFFFFFFF, %edx # Stuff we can easily recognize
pushl %edx # Push it
irmovl 0xEEEEEEEE, %edx # Stuff we can easily recognize
pushl %edx # Push it
irmovl 0xDDDDDDDD, %edx # Stuff we can easily recognize
pushl %edx # Push it
irmovl 0xAAAAAAAA, %eax # Stuff we can easily recognize
irmovl , %edi # Set offset value 4 (replace 0xEEEEEEEE)
rrmovl %esp, %edx # Get stack
addl %edi,%edx # .. and offset
rmmovl %eax, (%edx) # Store stuff we recognize into offset to stack
popl %edx # Bypass
popl %edx # .. junk
popl %edx # .... on stack
popl %edx # ....... and restore old %edx
popl %edx # ......... and %eax
halt # Finito!
我知道rmmovl可以按如下方式使用:
rmmovl %ecx, 4(%edx)
但是我如何动态设置向下移动堆栈的位数(在本例中为 4)?我已经尝试使用我想要转移到的值设置一个变量,例如 rmmovl %ecx, %edi(%edx),但这不起作用。
您必须手动设置 %edx 以包含偏移量。我们可以将 %edx 的值保存在栈上,然后再恢复,所以它的原始值不受影响。
pushl %edx # save current value of %edx
addl %edi, %edx # add %edi to %edx
rmmovl %ecx, (%edx) # store value of %ecx into %edx with offset %edi
popl %edx # restore old %edx
我不确定我是否完全理解这个问题。如果您只是在寻找一种执行可变偏移量的方法,Analytica 的答案是非常正确的(顺便说一句,原则上,您可以即时破解 Y86 代码,在进行过程中构建偏移量,因为 Y86 没有覆盖保护,不区分数据和程序。)
但是,您写“...设置要向下移动堆栈的位数(在本例中为 4)?”除非这只是一个打字错误,否则您问的是一个更广泛的问题(顺便说一句,不建议手动操作堆栈。)为了完整起见,我提供了两个程序来解决您的问题。
第一个程序,程序 1,演示变量偏移量。第二个程序,程序 2,演示了通过变量偏移量进行堆栈操作。它应该是不言自明的。
.pos 0x0100
stack:
.pos 0x00a0
rangestart: .long 0xAAAAAAAA
.long 0xBBBBBBBB
.long 0xCCCCCCCC # Target for substitution in Program 1
.long 0xDDDDDDDD
rangeend:
.pos 0x0000
#
# Program 1
#
# Simple program showing how we can "improvise" variable offset in rmmovl
# Our goal is to replace 0xCCCCCCCC with 0xFFFFFFFF in the range from
# .. rangestart to rangeend and preserving whatever temporary register
# .... we use for the offset
#
Program1: irmovl stack, %esp # Set stack pointer
irmovl 0xFFFFFFFF, %ecx # Stuff we can easily recognize
irmovl rangeend, %edx # Target area that we will negatively offset from
irmovl $-8, %edi # Set offset value -8
pushl %edx # Save current value of %edx
addl %edi, %edx # Add offset to %edx
rmmovl %ecx, (%edx) # Store value of %ecx into %edx with offset
popl %edx # Restore old %edx
jmp Program2
#
# Program 2
#
# Simple program showing how we can manipulate the stack using offsets
# Manipulating the stack is NOT recommended.
# Our goal is to push some easily recognizable stuff on the stack
# ... and change it afterwards
#
Program2:
pushl %edx # Save current value of %edx
pushl %edx # .. and %eax
irmovl 0xFFFFFFFF, %edx # Stuff we can easily recognize
pushl %edx # Push it
irmovl 0xEEEEEEEE, %edx # Stuff we can easily recognize
pushl %edx # Push it
irmovl 0xDDDDDDDD, %edx # Stuff we can easily recognize
pushl %edx # Push it
irmovl 0xAAAAAAAA, %eax # Stuff we can easily recognize
irmovl , %edi # Set offset value 4 (replace 0xEEEEEEEE)
rrmovl %esp, %edx # Get stack
addl %edi,%edx # .. and offset
rmmovl %eax, (%edx) # Store stuff we recognize into offset to stack
popl %edx # Bypass
popl %edx # .. junk
popl %edx # .... on stack
popl %edx # ....... and restore old %edx
popl %edx # ......... and %eax
halt # Finito!