ENTRY(my_tgkill)
stmdb sp!, {r4-r11, ip, lr}
//ldr r0, debug_message
//mov r1, pc
//bl dp_printf
ldr r4, debug_message
mov r0, r4
mov r1, pc
nop
nop
nop
bl printf
nop
nop
nop
nop
nop
add r4,r4,#20
mov r0, r4
str r0, [r0]
ldr r0, func_point123
nop
add ip, pc, #0, 12
nop
nop
nop
nop
add ip, ip, #8192
ldr r1, [ip, #1896]
/*
00000654 <printf@plt>:
654: e28fc600 add ip, pc, #0, 12
658: e28cca02 add ip, ip, #8192 ; 0x2000
65c: e5bcf954 ldr pc, [ip, #2388]! ; 0x954
*/
nop
nop
nop
nop
nop
ldr r0, debug_message
//bl printf
blx r1
//r1为printf的地址 在got表中 实际中是跳转到00000654 <printf@plt>:
654: e28fc600 add ip, pc, #0, 12
658: e28cca02 add ip, ip, #8192 ; 0x2000
65c: e5bcf954 ldr pc, [ip, #2388]! ; 0x954
,从got表中获取printf的实际地址,我计算了654与本程序pc的偏移,然后直接算出got表中printf
的地址
blx r1调用之,由于printf是thrumb指令,用blx
//movs pc, r1
//add ip, ip, #4096
//ldr pc, [ip, #2444]!
//mov r1,ip
//bl dp_printf
// 59c: e28fc600 .word 0xe28fc600
// 5a0: e28cca01 .word 0xe28cca01
// 5a4: e5bcfa58 .word 0xe5bcfa58
//ldr r3, printf
//ldr pc,printf
//add ip, pc, #0, 12
//add ip, ip, #4096
//;0x1000
//ldr pc, [ip, #2656]!
//; 0xa60
ldmia sp!, {r4-r11, ip, pc}
error_code: .word 0x1ffc
func_point123: .word printf
debug_message: .word debug_string
END(my_tgkill)
ENTRY(dp_printf)
stmdb sp!, {lr}
bl printf
ldmia sp!, {pc}
END(dp_printf)
.data
debug_string:
.string "valuewww = 0x%x.\n"
.space 0x400, 0
.end
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
