둘둘리둘둘리둘둘리둘둘리둘둘리둘
64비트 elf 인자전달방식 본문
#include <stdio.h>
int func(int a, int b, int c, int d, int e, int f){
return 1;
}
int main(){
int a=1;
int b=2;
int c=3,d=4,e=5,f=6,g;
func(a,b,c,d,e,f);
return 0;
}
위 소스 디스어셈블링 결과 ..
(gdb) disassemble main
Dump of assembler code for function main:
0x00000000004004cb <+0>: push rbp
0x00000000004004cc <+1>: mov rbp,rsp
0x00000000004004cf <+4>: sub rsp,0x20
0x00000000004004d3 <+8>: mov DWORD PTR [rbp-0x4],0x1
0x00000000004004da <+15>: mov DWORD PTR [rbp-0x8],0x2
0x00000000004004e1 <+22>: mov DWORD PTR [rbp-0xc],0x3
0x00000000004004e8 <+29>: mov DWORD PTR [rbp-0x10],0x4
0x00000000004004ef <+36>: mov DWORD PTR [rbp-0x14],0x5
0x00000000004004f6 <+43>: mov DWORD PTR [rbp-0x18],0x6
0x00000000004004fd <+50>: mov r8d,DWORD PTR [rbp-0x18]
0x0000000000400501 <+54>: mov edi,DWORD PTR [rbp-0x14]
0x0000000000400504 <+57>: mov ecx,DWORD PTR [rbp-0x10]
0x0000000000400507 <+60>: mov edx,DWORD PTR [rbp-0xc]
0x000000000040050a <+63>: mov esi,DWORD PTR [rbp-0x8]
0x000000000040050d <+66>: mov eax,DWORD PTR [rbp-0x4]
0x0000000000400510 <+69>: mov r9d,r8d
0x0000000000400513 <+72>: mov r8d,edi
0x0000000000400516 <+75>: mov edi,eax
0x0000000000400518 <+77>: call 0x4004ac <func>
0x000000000040051d <+82>: mov eax,0x0
0x0000000000400522 <+87>: leave
0x0000000000400523 <+88>: ret
End of assembler dump.
정리해보면 func( rdi, rsi, rdx, rcx, r8, r9 )
64비트에서는 rax, rbx, rcx ,rdx, rsi, rdi, rbp레지스터 말고도
r8에서 r15까지 8개의 레지스터를 더 굴림
아래와 같이 인자가 6개 이상이라면..
#include <stdio.h>
int func(int a, int b, int c, int d, int e, int f, int gg, int gg2){
return 1;
}
int main(){
int a=1;
int b=2;
int c=3,d=4,e=5,f=6,g,gg=7, gg2=8;
func(a,b,c,d,e,f,gg,gg2);
return 0;
}
(gdb) disassemble main
Dump of assembler code for function main:
0x00000000004004cb <+0>: push rbp
0x00000000004004cc <+1>: mov rbp,rsp
0x00000000004004cf <+4>: sub rsp,0x30
0x00000000004004d3 <+8>: mov DWORD PTR [rbp-0x4],0x1
0x00000000004004da <+15>: mov DWORD PTR [rbp-0x8],0x2
0x00000000004004e1 <+22>: mov DWORD PTR [rbp-0xc],0x3
0x00000000004004e8 <+29>: mov DWORD PTR [rbp-0x10],0x4
0x00000000004004ef <+36>: mov DWORD PTR [rbp-0x14],0x5
0x00000000004004f6 <+43>: mov DWORD PTR [rbp-0x18],0x6
0x00000000004004fd <+50>: mov DWORD PTR [rbp-0x1c],0x7
0x0000000000400504 <+57>: mov DWORD PTR [rbp-0x20],0x8
0x000000000040050b <+64>: mov r9d,DWORD PTR [rbp-0x18]
0x000000000040050f <+68>: mov r8d,DWORD PTR [rbp-0x14]
0x0000000000400513 <+72>: mov ecx,DWORD PTR [rbp-0x10]
0x0000000000400516 <+75>: mov edx,DWORD PTR [rbp-0xc]
0x0000000000400519 <+78>: mov esi,DWORD PTR [rbp-0x8]
0x000000000040051c <+81>: mov eax,DWORD PTR [rbp-0x4]
0x000000000040051f <+84>: mov edi,DWORD PTR [rbp-0x20]
0x0000000000400522 <+87>: mov DWORD PTR [rsp+0x8],edi
0x0000000000400526 <+91>: mov edi,DWORD PTR [rbp-0x1c]
0x0000000000400529 <+94>: mov DWORD PTR [rsp],edi
0x000000000040052c <+97>: mov edi,eax
0x000000000040052e <+99>: call 0x4004ac <func>
0x0000000000400533 <+104>: mov eax,0x0
0x0000000000400538 <+109>: leave
0x0000000000400539 <+110>: ret
End of assembler dump.
func( rdi, rsi, rdx, rcx, r8, r9, rsp, rsp+8 ) 이와같이 스택에 쌓는다.
아래와 같이 리턴 값은 rax에..
Dump of assembler code for function func:
0x00000000004004ac <+0>: push rbp
0x00000000004004ad <+1>: mov rbp,rsp
0x00000000004004b0 <+4>: mov DWORD PTR [rbp-0x4],edi
0x00000000004004b3 <+7>: mov DWORD PTR [rbp-0x8],esi
0x00000000004004b6 <+10>: mov DWORD PTR [rbp-0xc],edx
0x00000000004004b9 <+13>: mov DWORD PTR [rbp-0x10],ecx
0x00000000004004bc <+16>: mov DWORD PTR [rbp-0x14],r8d
0x00000000004004c0 <+20>: mov DWORD PTR [rbp-0x18],r9d
0x00000000004004c4 <+24>: mov eax,0x1
0x00000000004004c9 <+29>: pop rbp
0x00000000004004ca <+30>: ret
End of assembler dump.
'Linux > Reversing' 카테고리의 다른 글
| gdb-peda 설치 (0) | 2016.02.28 |
|---|---|
| IDA를 이용한 리눅스 원격 디버깅 (0) | 2015.12.30 |
| ROPeMe (ROP Exploit Made Easy) (0) | 2015.11.17 |
| 칼리 리눅스에 버추얼박스 게스트 확장 설치 (0) | 2015.10.07 |
| .plt .got 동작과정 (0) | 2015.08.22 |
