65,189
社区成员




void overFlow()
{
int a[] = { 0x78787868 };
*(a + 2) += 7; //将main函数中的下一条指令地址+7,也就是跳过了aa = 4。为什么+7,看下面的分析.
}
.text:00401020 ; int __cdecl main(int argc, const char **argv, const char *envp)
.text:00401020 _main proc near ; CODE XREF: ___tmainCRTStartup+15Ap
.text:00401020
.text:00401020 var_4 = dword ptr -4
.text:00401020 argc = dword ptr 8
.text:00401020 argv = dword ptr 0Ch
.text:00401020 envp = dword ptr 10h
.text:00401020
.text:00401020 push ebp
.text:00401021 mov ebp, esp
.text:00401023 push ecx
.text:00401024 mov [ebp+var_4], 3
.text:0040102B call sub_401000 ; 调用overFlow ();
.text:00401030 mov [ebp+var_4], 4 ; aa = 4;这条指令占7个字节(00401037-00401030)
.text:00401037 mov eax, [ebp+var_4]
.text:0040103A push eax
.text:0040103B push offset unk_40C000
.text:00401040 call sub_40104E
.text:00401045 add esp, 8
.text:00401048 xor eax, eax
.text:0040104A mov esp, ebp
.text:0040104C pop ebp
.text:0040104D retn
.text:0040104D _main endp
004010C4 mov dword ptr [ebp-4],4
1.
a[0]: 0x78787868
a[1]: saved_esp
a[2]: ret_addr -> address of 'aa = 4'
2.
aa = 4 -> movl $4, %eax -> 5byte