样本文件准备及变量地址分析参考
1. 根据上述记录过程得到进程启动后变量a地址为:0x60103c
2. bvi 打开文件,发现文件根本没有这么长,最末尾数据如下
00002590 00 00 00 00 00 00 00 00 B0 1A 00 00 00 00 00 00 ................
000025A0 4C 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 L...............
000025B0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000025C0
3. 输入命令":0x103c ", 发现数据如下:
00001010 00 00 00 00 00 00 00 00 56 04 40 00 00 00 00 00 ........V.@.....
00001020 66 04 40 00 00 00 00 00 76 04 40 00 00 00 00 00 f.@.....v.@.....
00001030 86 04 40 00 00 00 00 00 00 00 00 00 FF FF FF FF ..@.............
00001040 EE EE EE EE 47 43 43 3A 20 28 47 4E 55 29 20 35 ....GCC: (GNU) 5
00001050 2E 33 2E 31 20 32 30 31 35 31 32 30 37 20 28 52 .3.1 20151207 (R
00001060 65 64 20 48 61 74 20 35 2E 33 2E 31 2D 32 29 00 ed Hat 5.3.1-2).
4. 发现103c地址处是a的值0xFFFFFFFF, 并且紧跟的1040是变量b的值0xEEEEEEEE
5. 修改a的值如下(需要命令:set memmove)
00001010 00 00 00 00 00 00 00 00 56 04 40 00 00 00 00 00 ........V.@.....
00001020 66 04 40 00 00 00 00 00 76 04 40 00 00 00 00 00 f.@.....v.@.....
00001030 86 04 40 00 00 00 00 00 00 00 00 00 EE FF FF FF ..@.............
00001040 EE EE EE EE 47 43 43 3A 20 28 47 4E 55 29 20 35 ....GCC: (GNU) 5
00001050 2E 33 2E 31 20 32 30 31 35 31 32 30 37 20 28 52 .3.1 20151207 (R
00001060 65 64 20 48 61 74 20 35 2E 33 2E 31 2D 32 29 00 ed Hat 5.3.1-2).
6. 保存并运行程序,输出
$ ./a.out
ffffffee, eeeeeeee
ffffffee, eeeeeeee
ffffffee, eeeeeeee
搞定。
问题:反汇编分析出来的变量a地址为 0x60103c,可执行文件中a的存储地址却是103c。至于前面的0x60代表什么意思目前还不清楚,本次成功也许是运气- -#