rdx 0x00007fffe101dd5f: push %rcx 0x00007fffe101dd60: callq 0x00007fffe101dd6a 0x00007fffe101dd65: jmpq...0x00007fffe101dd97: callq 0x00007ffff66b581c 0x00007fffe101dd9c: add $0x8,%rsp 0x00007fffe101dda0: jmpq...0x00007fffe101de77: callq 0x00007ffff66b4d84 0x00007fffe101de7c: add $0x8,%rsp 0x00007fffe101de80: jmpq...0x00007fffe101def6: callq 0x00007ffff66b4bb4 0x00007fffe101defb: add $0x8,%rsp 0x00007fffe101deff: jmpq...%rbx 0x00007fffe101df1c: pop %rax // 结束set_method_data_pointer_for_bcp()函数调用 0x00007fffe101df1d: jmpq
0x00000192d1972bb8: add $0x2,%r13 0x00000192d1972bbc: movabs $0x7fffd56e0fa0,%r10 0x00000192d1972bc6: jmpq...0x00000192d1972be7: add $0x4,%r13 0x00000192d1972beb: movabs $0x7fffd56e0fa0,%r10 0x00000192d1972bf5: jmpq...0x00000192d1972bb8: add $0x2,%r13 0x00000192d1972bbc: movabs $0x7fffd56e0fa0,%r10 0x00000192d1972bc6: jmpq...$0x2,%r13 ; 防止意外执行到死代码 0x00000192d1972bbc: movabs $0x7fffd56e0fa0,%r10 0x00000192d1972bc6: jmpq...$0x4,%r13 ; 防止意外执行到死代码 0x00000192d1972beb: movabs $0x7fffd56e0fa0,%r10 0x00000192d1972bf5: jmpq
r15) 0x00000001037b37ba: add $0x30,%rsp 0x00000001037b37be: pop %rbp 0x00000001037b37bf: jmpq...movabs $0x1037b385c,%r10 ; {section_word} 0x00000001037b3866: push %r10 0x00000001037b3868: jmpq...r15) 0x00000001037b3b17: add $0x30,%rsp 0x00000001037b3b1b: pop %rbp 0x00000001037b3b1c: jmpq...movabs $0x1037b3bbc,%r10 ; {section_word} 0x00000001037b3bc6: push %r10 0x00000001037b3bc8: jmpq
的某处跳到了函数 B 的开头,所以如果想用一个新的函数 C 取代函数 B,可以在函数 B 的开头用机器码的形式写入如下等价逻辑: MOVQ ADDRESS_OF_C %RAX //将函数C的地址放到寄存器RAX JMPQ
# 参数2入寄存器传递 0x0000000000401130 : e8 07 00 00 00 callq 0x40113c # push %rip 然后 jmpq
0000000000400360 : ... 0000000000400370 : 400370: ff 25 aa 03 20 00 jmpq...GLOBAL_OFFSET_TABLE_+0x18> 400376: 68 00 00 00 00 pushq $0x0 40037b: e9 e0 ff ff ff jmpq
test3 | less,搜索printf我们应该能看到以下内容: 0000000000400490 : 400490: ff 25 6a 0b 20 00 jmpq...GLOBAL_OFFSET_TABLE_+0x18> 400496: 68 00 00 00 00 pushq $0x0 40049b: e9 e0 ff ff ff jmpq...400480 ... 00000000004004b0 : 4004b0: ff 25 5a 0b 20 00 jmpq...GLOBAL_OFFSET_TABLE_+0x28> 4004b6: 68 02 00 00 00 pushq $0x2 4004bb: e9 c0 ff ff ff jmpq...一个是main函数的地址 */ ... 00000000004004f0 : 4004f0: ff 25 22 0b 20 00 jmpq
4010e1: b8 20 0c 40 00 mov $0x400c20,%eax //4010e6: ff e0 jmpq
s1=String::from("hello"); 而堆上的内存分配是操作系统malloc的产物,都是动态分配的,示例如下: 220a3: ff 25 af 8c 22 00 jmpq
49a10e: 48 ff 40 18 incq 0x18(%rax) 49a112: e9 70 ff ff ff jmpq
0x00000000004891a6 : mov 0x50(%rsp),%rax 0x00000000004891ab : jmpq...0x00000000004891b0 : callq 0x44f730 0x00000000004891b5 : jmpq
0x0000000000488b33 : callq 0x44f300 0x0000000000488b38 : jmpq
...................................................... 1232: e9 1b ef ff ff jmpq
puts的地方,实际上是调用了puts@plt,即plt的某个位置 2.png 往上找一找,找到puts@plt的定义,即0x580的位置,可以看到机器码如下: 3.png 第一行jmpq
08 mov 0x8(%rsp),%eax //将num1储存到%eax中 400f75: ff 24 c5 70 24 40 00 jmpq
puts的地方,实际上是调用了puts@plt,即plt的某个位置 往上找一找,找到puts@plt的定义,即0x580的位置,可以看到机器码如下: 第一行jmpq
section内容: $ otool -V main -s __TEXT __stubs main: Contents of (__TEXT,__stubs) section 0000000100000f6a jmpq...*0xa8(%rip) ## literal pool symbol address: _printf 0000000100000f70 jmpq *0xaa(%rip) ## literal pool
kernel-3.10.0-862.el7/linux-3.10.0-862.el7.x86_64/kernel/exit.c: 1570 0xffffffffb8a97176 : jmpq
领取专属 10元无门槛券
手把手带您无忧上云