Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

提问:汇编函数的第七个参数的入栈偏移 #5

Closed
ljysdfz opened this issue Sep 8, 2017 · 1 comment
Closed

提问:汇编函数的第七个参数的入栈偏移 #5

ljysdfz opened this issue Sep 8, 2017 · 1 comment

Comments

@ljysdfz
Copy link

ljysdfz commented Sep 8, 2017
edited
Loading

在研究第五章的汇编时
将如下C程序

uint64_t foo(uint64_t a1,uint64_t a2,uint64_t a3,uint64_t a4,uint64_t a5,uint64_t a6,uint64_t a7,uint64_t a8,uint64_t a9,uint64_t a10,uint64_t a11) {
    return a1+a2+a3+a4+a5+a6+a7+a8+a9+a10+a11;
}

编译后得到如下汇编代码

## BB#0:
	push	rbp
	mov	rbp, rsp
	lea	rax, [rdi + rsi]
	add	rax, rdx
	add	rax, rcx
	add	rax, r8
	add	rax, r9
	add	rax, qword ptr [rbp + 16]
	add	rax, qword ptr [rbp + 24]
	add	rax, qword ptr [rbp + 32]
	add	rax, qword ptr [rbp + 40]
	add	rax, qword ptr [rbp + 48]
	pop	rbp
	ret

和书上的例子基本上是相同的
但是有个问题:
为何第七个参数是从[rbp + 16]开始的
而不是[rbp+8]?
因为目测push了所有7-11的参数入栈后
就进入了foo
接着就push rbp
之后再也没有push
这里应该只用了8bytes吧
最后把rbp定位到rsp
我的理解就是找第七号元素只需要[rbp+8]
还请诸位不吝赐教。
@feicong
Copy link
Owner

feicong commented Sep 23, 2017

在进入foo()这个调用时,call指令会将下一乖指令的地址压入堆栈,进入调用后,push rbpmov rbp, rsp后,[rbp + 0x8]指向的是call后的返回地址。

你不清楚一个问题时,最好的方法是自己运行调试,看结果:


(lldb) po *(unsigned long long*)($rbp+ 0x8)
4294971239

(lldb) p/x *(unsigned long long*)($rbp+ 0x8)
(unsigned long long) $5 = 0x0000000100000f67
(lldb) disas -a 0x0000000100000f67
hello`main:
    0x100000f30 <+0>:  push   rbp
    0x100000f31 <+1>:  mov    rbp, rsp
    0x100000f34 <+4>:  sub    rsp, 0x8
    0x100000f38 <+8>:  mov    edi, 0x1
    0x100000f3d <+13>: mov    esi, 0x2
    0x100000f42 <+18>: mov    edx, 0x3
    0x100000f47 <+23>: mov    ecx, 0x4
    0x100000f4c <+28>: mov    r8d, 0x5
    0x100000f52 <+34>: mov    r9d, 0x6
    0x100000f58 <+40>: push   0xb
    0x100000f5a <+42>: push   0xa
    0x100000f5c <+44>: push   0x9
    0x100000f5e <+46>: push   0x8
    0x100000f60 <+48>: push   0x7
    0x100000f62 <+50>: call   0x100000f00               ; foo
    0x100000f67 <+55>: add    rsp, 0x30
    0x100000f6b <+59>: mov    rcx, rax
    0x100000f6e <+62>: lea    rdi, [rip + 0x31]         ; "%lld\n"
    0x100000f75 <+69>: xor    eax, eax
    0x100000f77 <+71>: mov    rsi, rcx
    0x100000f7a <+74>: call   0x100000f84               ; symbol stub for: printf
    0x100000f7f <+79>: xor    eax, eax
    0x100000f81 <+81>: pop    rbp
    0x100000f82 <+82>: ret

@feicong feicong closed this as completed Sep 23, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@feicong @ljysdfz