53 lines
1.1 KiB
Markdown
53 lines
1.1 KiB
Markdown
|
# amd64
|
||
|
|
|
||
|
|
* `rax` return value, caller saved.
|
||
|
|
* `r10`, `r11` are caller saved.
|
||
|
|
* `rbx`, `r12`, `r13`, `r14` are callee saved
|
||
|
|
* `rbp` is also callee saved(and can be optionally used as a frame pointer)
|
||
|
|
* `rsp` is callee saved
|
||
|
|
|
||
|
|
## Function argument registers
|
||
|
|
* `rdi`,`rsi`,`rdx`,`rcx`,`r8 `,`r9 `, called saved.
|
||
|
|
* Further function args are stored inside its stack frame.
|
||
|
|
|
||
|
|
|
||
|
|
## Overwriting Variables and Padding
|
||
|
|
* Overwrite an atomic variable behind a buffer
|
||
|
|
```C
|
||
|
|
int main ( int argc, char ** argv ) {
|
||
|
|
int var = 0
|
||
|
|
char buffer[12];
|
||
|
|
|
||
|
|
gets(buffer);
|
||
|
|
[...]
|
||
|
|
}
|
||
|
|
```
|
||
|
|
* Stack layout
|
||
|
|
```
|
||
|
|
Bottom
|
||
|
|
+------------------+
|
||
|
|
| Saved regsisters |
|
||
|
|
+------------------+
|
||
|
|
| int var |
|
||
|
|
+------------------+
|
||
|
|
| char buffer [11] |
|
||
|
|
| ... |
|
||
|
|
| ... |
|
||
|
|
| ... |
|
||
|
|
| char buffer [0] |
|
||
|
|
+------------------+
|
||
|
|
| char ** argv |
|
||
|
|
+------------------+
|
||
|
|
| char argc |
|
||
|
|
+------------------+
|
||
|
|
Top
|
||
|
|
```
|
||
|
|
|
||
|
|
* Watch out! I.e., a 12 byte array is padded to system memory allocation size.
|
||
|
|
```
|
||
|
|
+-------------+----+
|
||
|
|
|12 byte array| 4b |
|
||
|
|
+-------------+----+
|
||
|
|
0 12 16 byte
|
||
|
|
```
|