Why is the stack filled with 0xCCCCCCCC

最新推荐文章于 2024-06-17 19:41:15 发布
最新推荐文章于 2024-06-17 19:41:15 发布
阅读量136 收藏
点赞数
文章标签: runtime python c/c++
原文链接:https://my.oschina.net/ray1421/blog/714709
版权

2019独角兽企业重金招聘Python工程师标准>>> hot3.png

I'm currently disassembling some small C programs made in Visual Studio 2012 Express, and i've noticed a trend amongst the binaries.

The first set of instructions executed in the main function are always:

SUB ESP,154                       ; Doesn't have to be 0x154.
.....
.....
.....
LEA EDI,DWORD PTR SS:[EBP-154]
MOV ECX,55                        ; Also doesn't have to be 0x55.
MOV EAX,CCCCCCCC
REP STOS DWORD PTR ES:[EDI]

So, why does the machine fill the stack with this 0xCCCCCCCC? I've read that it is used by VC++, or something, as a mark for uninitialized space?

Then let's say I am going to put something inside my buffer... The compiler or processor decides to put it at some random point inside this space, but I can't see why it would put it there...

EBP-90   > CCCCCCCC  ÌÌÌÌ
EBP-8C   > CCCCCCCC  ÌÌÌÌ
EBP-88   > CCCCCCCC  ÌÌÌÌ
EBP-84   > 00000001  ...  ; Why this place?
EBP-80   > CCCCCCCC  ÌÌÌÌ
EBP-7C   > CCCCCCCC  ÌÌÌÌ
EBP-78   > 41414141  AAAA ; Why this far from both the top and bottom of the stack?
EBP-74   > CCCCCC00  .ÌÌÌ
EBP-70   > CCCCCCCC  ÌÌÌÌ
EBP-6C   > CCCCCCCC  ÌÌÌÌ

And...

EBP-14   > CCCCCCCC  ÌÌÌÌ
EBP-10   > CCCCCCCC  ÌÌÌÌ
EBP-C    > 00000000  ....  ; Why here?
EBP-8    > CCCCCCCC  ÌÌÌÌ
EBP-4    > 7EA7D069  iЧ~  ; I think this is some stack cookie stuff.
EBP ==>  >/0017FEA8  ¨þ.   ; Saved EBP.

Granted the 1 and 0 dwords are stored here is because of some if statements, but i'm simply wondering why they are placed where they are. If there is any logic behind it.

Thank you.

assembly disassembly

asked Jul 14 '13 at 22:27

Volatile

354312

Optimized or debug build? – Kerrek SB Jul 14 '13 at 22:29

@KerrekSB I think it's in debug actually... I've never actually noticed that, now that you pointed it out. – Volatile Jul 14 '13 at 22:34

If you were a debugging compiler, could you imagine any use such a "predictable pattern" might have? – Kerrek SB Jul 14 '13 at 22:36

@KerrekSB So how would I know where to put stuff? – Volatile Jul 14 '13 at 22:41

See the answers to stackoverflow.com/questions/127386/… for more information about 0xcccccccc, and from the wikipedia link in the accepted answer: "CC resembles the opcode of the INT 3 debug breakpoint interrupt on x86 processors." – Logan Pickup Jul 14 '13 at 22:45

show 7 more comments

投票最多答案:You are just seeing the code that's generated by the MSVC compiler when you use the /RTC option. Which enables runtime checks, turned on by default in the debug build. The value 0xcccccccc is magical, it is very good at crashing your program when you use an uninitialized pointer. Or generate a weird int value. Or crash your code when it goes bananas(不正常) and start to execute data as though it is code. 0xcc is the x86 instruction for INT 3, it invokes a debugger break.

The "why this place" is part of the diagnostics you get from /RTC. It make the compiler allocate local variables with extra space between them. Filled by that magical value. Which makes it very simple to diagnose stack corruption caused by buffer overruns, it just needs to check if the magic values are still there when the function returns.

【相关链接】

debugging - In Visual Studio C++, what are the memory allocation representations? - Stack Overflow
http://stackoverflow.com/questions/127386/in-visual-studio-c-what-are-the-memory-allocation-representations

Win32 Debug CRT Heap Internals  (太繁琐了,编译器真的不容易啊!!)
http://www.nobugs.org/developer/win32/debug_crt_heap.html#table

总结:

1. 在C/C++编译器生成的语句中,可能包含一些并不是源代码中的语句对应的汇编语句,也就是说C++语言编译生成的汇编代码,可能一些汇编代码并不是程序员的写的代码生成的,而可能是编译器为了缓冲区溢出检测、或者其他原因(如安全、代码混淆,防止逆向工程)添加的代码。

2.编译器做的许多事情,并不是我们可以从源程序代码中找到的,它可能是为了提高程序的安全性,可靠性,以及检测程序中可能存在的bug而添加一些代码。比如为了检测缓冲区溢出bug,它使用了0xcccccccc这样的magic number,

下面是其他一些计算机程序中用到的magic number:

http://en.wikipedia.org/wiki/Magic_number_(programming)

* 0xABABABAB : Used by Microsoft's HeapAlloc() to mark "no man's land" guard bytes after allocated heap memory
* 0xABADCAFE : A startup to this value to initialize all free memory to catch errant pointers
* 0xBAADF00D : Used by Microsoft's LocalAlloc(LMEM_FIXED) to mark uninitialised allocated heap memory
* 0xBADCAB1E : Error Code returned to the Microsoft eVC debugger when connection is severed to the debugger
* 0xBEEFCACE : Used by Microsoft .NET as a magic number in resource files
* 0xCCCCCCCC : Used by Microsoft's C++ debugging runtime library to mark uninitialised stack memory
* 0xCDCDCDCD : Used by Microsoft's C++ debugging runtime library to mark uninitialised heap memory
* 0xDEADDEAD : A Microsoft Windows STOP Error code used when the user manually initiates the crash.
* 0xFDFDFDFD : Used by Microsoft's C++ debugging heap to mark "no man's land" guard bytes before and after allocated heap memory
* 0xFEEEFEEE : Used by Microsoft's HeapFree() to mark freed heap memory
上面的这类现象用stackoverflow中一个人的话说就是:

转载于:https://my.oschina.net/ray1421/blog/714709

weixin_34055910
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
小甲鱼第十一课:列表:一个“打了激素”的数组2总结反思
cccccccaaaaaaaaa的博客
03-31 6958
2. 如果你每次想从列表的末尾取出一个元素,并将这个元素插入到列表的最前边,你会怎么做? member = ['小甲鱼',88,'黑夜',90,'迷途',85,'易经',90,'斜阳',88] member.insert(0,member.pop()) print(member) #pop很巧妙的把末位删除且赋值给insert 3. 有些鱼油比较调皮,他说我想试试 list1[-3:-1] 会不...
The sensitivity analysis of the PPM stack with notched magnet
02-09
<span xss=removed>A periodic permanent magnet (PPM) stack with notched magnet is discussed in this paper. A fully three dimensional (3D) magnetic focusing simulator (MFS) has been used to model the ...
南邮CTF——WEB Write Up
m0_37784781的博客
11-21 787
南邮CTF——WEB Write Up md5 collision——md5弱类型 题目:md5 collision <?php $md51 = md5('QNKCDZO'); $a = @$_GET['a']; $md52 = @md5($a); if(isset($a)){ if ($a != 'QNKCDZO' && $md51 == $md52) { ...
android开机启动无界面后台程序
wangweiwangshuang的专栏
10-26 835
 今天写了一个安卓小程序,这个程序没有界面,也不会在桌面创建应用程序图标 当然,在“设置”中的应用程序管理是可以看到的,也可以把这个应用程序删除 简单的说,这是一个没有界面的后台运行的应用程序 而且,还有一功能:开机自启动,启动运行一个服务 程序结构非常简单,两个类,一个是service的扩展类,一个是BroadcastReceiver扩展类
windbg入门之旅:(1)常见的windbg命令
weixin_34252090的博客
11-13 170
1 .logopen logfile.log 该命令的作用是创建一个windbg的日志文件,从该文件创建开始直到.logclose调用,所有debug的过程都会log到logfile.log文件中。这对于调试过程的回忆和追踪是有用处的。 2 bp module!functionname(或者内存地址) 该命令的作用是创建在指定的地方插入一个断点。当程序运行到断点时,会产生中断等待用户处理(这...
PAT L1-049. 天梯赛座位分配
moonlight的博客
04-01 5871
题目链接:https://www.patest.cn/contests/gplt/L1-049L1-049. 天梯赛座位分配时间限制400 ms内存限制65536 kB代码长度限制8000 B判题程序Standard作者陈越天梯赛每年有大量参赛队员,要保证同一所学校的所有队员都不能相邻,分配座位就成为一件比较麻烦的事情。为此我们制定如下策略:假设某赛场有 N 所学校参赛,第 i 所学校有 M[i]...
Android studio 出现错误Run with –stacktrace option to get the stack trace. Run with –info or –debu
01-05
Android studio Run with –stacktrace option to get the stack trace. Run with –info or –debu 提示信息 Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get ...
Android studio 出现错误Run with --stacktrace option to get the stack trace. Run with --info or --debu
09-01
主要介绍了 Android studio 出现错误Run with --stacktrace option to get the stack trace. Run with --info or --debu的相关资料,需要的朋友可以参考下
Hands-On Full-Stack Development with Swift epub
06-02
Hands-On Full-Stack Development with Swift 英文epub 本资源转载自网络,如有侵权,请联系上传者或csdn删除 查看此书详细信息请在美国亚马逊官网搜索此书
Hands-On Full Stack Development with Spring Boot 2.0 and React
05-24
Create a RESTful web service with Spring Boot Use React for frontend programming Learn to create unit tests using JUnit Discover techniques to secure the backend using Spring Security Employ Material-...
转载-0xCCCCCCCC,一则程序的汇编分析
weixin_33682719的博客
07-19 272
2019独角兽企业重金招聘Python工程师标准>>> ...
Python Runtime指标采集
分享不一样的技术,与你一起共同成长!
06-11 951
但是很不幸,Python这么大的生态,我把全网都翻了一遍,竟然没有开源成熟的工具对Python Runtime指标进行暴露的exporter或者类似的工具....
next.js开发中页面回退时报Unhandled Runtime ErrorTypeError destroy is not a function
vivisol的博客
06-14 228
Next.js开发中页面回退时报`Unhandled Runtime Error:TypeError: destroy is not a function`
A*StarPathfinding的更新地图
u010698150的专栏
06-11 158
3、SaveToFile / LoadFromFile:加载已经保存的资源,此方法最快,但需要将变化的物体设置到对应的位置上。1、Scan:直接更新整个场景的地图,地图复杂动画,时间会比较长,场景会卡至烘焙完成。2、UpdateGraphs:异步刷新指定Bounds的。
【Java】Math、System、RunTime、BigDecimal类常用方法
最新发布
2302_79031646的博客
06-17 148
Math、System、RunTime、BigDecimal类常用方法
CUDA和Pytorch安装记录
仁者乐山,智者乐水
06-13 249
显卡算力 < cuda runtime version <= cuda driver version。
本周MoonBit新增Wasm1引用计数支持、语法即将添加错误恢复机制
m0_74743788的博客
06-11 374
moon.mod.json 和 moon.pkg.json 在开发过程中支持注释,但是在 publish 时不允许注释(只支持标准 JSON 格式)【Wasm MVP】Wasm1 后端添加基于 Perceus 算法的引用计数支持。【Core】JSON API被优化,以提高性能并适应新的Core API。增加文件锁以用于 moon 多实例同步。
C++ SIMD性能优化
一个大佬的博客
06-17 394
总结: 数据运算量小无效果,数据运算量大效果提升显著。
velocity:允许赋值语句赋值null:#set( $var = ...)
10km的专栏
06-11 322
因为不能赋值null,在循环语句中,变量的值就还是停留在上一个不为null的值,就会导致生成的内容混乱。所以我在实际应用中需要允许。经过仔细跟踪代码,发现可以通过设置参数配置模板引擎(VelocityEngine)允许null赋值。默认是不允许对变量设置为null的。velocity的模板中赋值语句。也可以将配置参数封装为以。
一运行程序就出现is outside the stack range
03-23
这个错误通常是由于函数调用栈溢出引起的,可能是由于递归调用或者函数嵌套过深导致的。解决方法是优化代码,减少函数嵌套或者使用尾递归等技术来避免栈溢出。如果需要更具体的帮助,请提供更多的代码细节和错误信息...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值