Disclaimer: This article is a blogger original article, reproduced, please attach the original source link and this statement. 2019-08-24,00: 40: 12
of the female heart and the ups and downs By ----- ---- blog Park
1, BASE, TOP is two 32-bit general purpose registers, which are stored in the memory cell number (memory address).
2, BASE address which stores a start address recorded.
3, TOP also stored inside an address record is the end of the address.
4, when the stored data, the value of the TOP minus 4 (for the convenience of presentation, are each access 4 bytes)
5, when the release of the data, plus the value of the TOP 4 (for the convenience of presentation, are each access 4 bytes)
6, if a data to be read can be in the middle of the time to read through or BASE TOP offset plus
7, the read-write memory has a scientific name: Stack
Advantage of the stack: a temporary store large amounts of data, easy to find.
In the red box position OD, randomly selected a memory address as our bottom of the stack and the stack, I have 0x18FFD0 for example, by EDX, EBX imitation ESP, EBP
MOV EDX,0x18FFD0 TOP
MOV EBX,0x18FFD0 BASE
1, press-fit the data
Many methods of press-fitting the data
method one,
MOV DWORD PTR DS:[EDX-4],0xAAAAAAAA
SUB EDX,4
Disclaimer: This article is a blogger original article, reproduced, please attach the original source link and this statement. 2019-08-24,00: 40: 12
of the female heart and the ups and downs By ----- ---- blog Park
Code execution:
Not on the back of the FIG.
Mode 2,
SUB EDX,4
MOV DWORD PTR DS:[EDX],0xBBBBBBBB
Mode 3,
LEA EDX,DWORD PTR DS:[EDX-4]
MOV DWORD PTR DS:[EDX],0xCCCCCCCC
Mode 4,
MOV DWORD PTR DS:[EDX-4],0xDDDDDDDD
LEA EDX,DWORD PTR DS:[EDX-4]
Step 2, the number N of read
1, reads the form BASE plus an offset, the read value into the ESI in
Reading a first pushed data
MOV kitchens, DWORD PTR DS: [EBX-4]
Reading data into the fourth press
MOV kitchens, DWORD PTR DS: [EBX-10]
2 embodiment, to read the form TOP plus an offset, the read value into the ESI in
Reading a first pushed data
MOV ESI, DWORD PTR DS: [EDX + 10]
Reading data into the fourth press
MOV ESI, DWORD PTR DS: [EDX + 4]
Step 3, the pop-up data
method 1,
MOV ECX,DWORD PTR DS:[EDX]
ADD EDX,0x4
Method 2,
LED EDX,DWORD PTR DS:[EDX+0x4]
MOV ECX,DWORD PTR DS:[EDX-0x4]
Method 3,
MOV ECX,DWORD PTR DS:[EDX]
LEA EDX,DWORD PTR DS:[EDX+0x4]
push command:
1、PUSH r32
2、PUSH r16
3、PUSH m16
4、PUSH m32
5、PUSH imm8/imm16/imm32
pop instructions:
1、POP r32
2、POP r16
3、POP m16
4、POP m32
1, implemented using two ways: push ecx
One,
MOV DWORD PTR DS:[ESP-0x4],0x1
LEA ESP,DWORD PTR DS:[ESP-0x4]
two,
LEA ESP,DWORD PTR DS:[ESP-0x4]
MOV DWORD PTR DS:[ESP],0x1
three,
MOV DWORD PTR DS:[ESP-0x4],0x1
SUB ESP,0x4
four,
SUB ESP,0x4
MOV DWORD PTR DS:[ESP],0x1
2. There are 2 ways to achieve: pop ecx
One,
ADD ESP,0x4
MOV EAX,DWORD PTR DS:[ESP-0x4]
two,
MOV EAX,DWORD PTR DS:[ESP]
ADD ESP,0x4
three,
MOV EAX,DWORD PTR DS:[ESP]
LEA ESP,DWORD PTR DS:[ESP+0x4]
four,
LEA ESP,DWORD PTR DS:[ESP+0x4]
MOV EAX,DWORD PTR DS:[ESP-0x4]
3. There are 2 ways to achieve: push esp
One,
MOV EAX,ESP
MOV DWORD PTR DS:[ESP-4],EAX
SUB ESP,4
two,
MOV DWORD PTR DS:[ESP-4],ESP
SUB ESP,4
4、使用2种方式实现:pop esp
一、
MOV EAX,DWORD PTR DS:[ESP]
MOV ESP,EAX
二、
MOV ESP,DWORD PTR DS:[ESP]
三、
ADD ESP,4
MOV ESP,DWORD PTR DS:[ESP-4]
push一定是减去4个字节吗?
答:不是,push可以对一个字的寄存器或者内存进行push,此时是2字节,对双字的寄存器或者内存进行push的时候,是4字节,
注意:push不能push一个字节的寄存器或者内存,pop同push
版权声明:本文为博主原创文章,转载请附上原文出处链接和本声明。2019-08-24,00:40:12
作者By-----溺心与沉浮----博客园