问题

以下是代码的翻译：

这是C代码：

void test_function(int a, int b, int c, int d) 
{
int flag;
char buffer[10];
flag = 31337;
buffer[0] = 'A';
}
int main() 
{
test_function(1, 2, 3, 4);
}

test_function的汇编代码：

test_function函数的汇编代码：
0x08048344 <test_function+0>: push ebp
0x08048345 <test_function+1>: mov ebp,esp
0x08048347 <test_function+3>: sub esp,0x28
0x0804834a <test_function+6>: mov DWORD PTR [ebp-12],0x7a69
0x08048351 <test_function+13>: mov BYTE PTR [ebp-40],0x41
0x08048355 <test_function+17>: leave
0x08048356 <test_function+18>: ret

我是新手，所以脑中有一些问题。

1. 我认为汇编代码的前三行是函数的前导部分。它将ebp推入堆栈，然后将esp的值复制给ebp。然而，我不明白为什么esp要在内存中向后移动40个字节。
2. 它将31337放入ebp-12中，但为什么确切是ebp-12，它是否表示flag的内存？看起来似乎不是，因为底部标记为(2)的位置被指定为flag的内存。
3. 在"x/16xw $esp"之后，除了左边带有数字的内存之外，不带任何数字的其他内存是什么，因为带有数字的内存代表局部变量、参数和sfp？

void test_function(int a, int b, int c, int d) 
{
int flag;
char buffer[10];
flag = 31337;
buffer[0] = 'A';
}
int main() 
{
test_function(1, 2, 3, 4);
}

Dump of assembler code for function test_function:
0x08048344 <test_function+0>: push ebp
0x08048345 <test_function+1>: mov ebp,esp
0x08048347 <test_function+3>: sub esp,0x28
0x0804834a <test_function+6>: mov DWORD PTR [ebp-12],0x7a69
0x08048351 <test_function+13>: mov BYTE PTR [ebp-40],0x41
0x08048355 <test_function+17>: leave
0x08048356 <test_function+18>: ret

End of assembler dump.
(gdb) print $ebp-12
$1 = (void *) 0xbffff7dc
(gdb) print $ebp-40
$2 = (void *) 0xbffff7c0
(gdb) x/16xw $esp
0xbffff7c0: (1)0x00000000 0x08049548 0xbffff7d8 0x08048249
0xbffff7d0: 0xb7f9f729 0xb7fd6ff4 0xbffff808 0x080483b9
0xbffff7e0: 0xb7fd6ff4 (2)0xbffff89c (3)0xbffff808 (4)0x0804838b
0xbffff7f0: (5)0x00000001 0x00000002 0x00000003 0x00000004

答案1

得分: 0

问题描述：

```plaintext
它将ebp推入堆栈，然后将esp复制到ebt

ebt错误，没有名为ebt的寄存器。应该是ebp。

push ebp

这个命令是为了在调用test_function函数之前保护堆栈底部。

mov ebp, esp
sub esp, 0x28

这个命令是为了增加堆栈以分配新的内存块来存储test_function函数执行期间的值。堆栈的大小增加不是固定的，不会始终为0x28。这个值由编译器计算，确保大小合适。

mov DWORD PTR [ebp-12], 0x7a69

对应于flag = 31337，flag的地址等于ebp-12的值。地址由编译器分配。DWORD对应于int。十六进制数0x7a69等于十进制数31337。

以及

mov BYTE PTR [ebp-40], 0x41

相同。十六进制数0x41等于十进制数65。字节对应于char。

下面的代码

(gdb) x/16xw $esp
0xbffff7c0: (1)0x00000000 0x08049548 0xbffff7d8 0x08048249
0xbffff7d0: 0xb7f9f729 0xb7fd6ff4 0xbffff808 0x080483b9
0xbffff7e0: 0xb7fd6ff4 (2)0xbffff89c (3)0xbffff808 (4)0x0804838b
0xbffff7f0: (5)0x00000001 0x00000002 0x00000003 0x00000004

例如，左侧代码的0xbffff7c0是地址，其值为0x00000000。因此，0xbffff7c4（0xbffff7c4 = 0xbffff7c0 + 4）地址的值为0x08049548，因为0x00000000占用4个字节。0xbffff7c8地址的值为0xbffff7d8。...

我认为下面的汇编代码

函数test_function的汇编代码转储：
0x08048344 <test_function+0>: push ebp
0x08048345 <test_function+1>: mov ebp, esp
0x08048347 <test_function+3>: sub esp, 0x28
0x0804834a <test_function+6>: mov DWORD PTR [ebp-12], 0x7a69
0x08048351 <test_function+13>: mov BYTE PTR [ebp-40], 0x41
0x08048355 <test_function+17>: leave
0x08048356 <test_function+18>: ret

可以转换为以下代码（如@Peter Cordes指出，"leave"等于"mov esp, ebp" + "pop ebp"，请参见https://www.felixcloutier.com/x86/leave）

函数test_function的汇编代码转储：
0x08048344 <test_function+0>: push ebp
0x08048345 <test_function+1>: mov ebp, esp
0x08048347 <test_function+3>: sub esp, 0x28
0x0804834a <test_function+6>: mov DWORD PTR [ebp-12], 0x7a69
0x08048351 <test_function+13>: mov BYTE PTR [ebp-40], 0x41
                               mov esp, ebp   // 这里改变了
                               pop ebp       // 这里改变了
0x08048356 <test_function+18>: ret

局部变量存储在堆栈中。

因此，我们可以得到以下图像：

<details>
<summary>英文:</summary>

You problem 

It pushes ebp, then copies esp to ebt

ebt is wrong, there is no register that called ebt. It is should be ebp.

push ebp

the command is for preserve the stack bottom before calling the test_function function.

mov ebp,esp
sub esp,0x28

the command is for increase the stack to allocate a new block of memory for storing values during the execution of test_function function. And the size of the stack increase is not fixed and will not always be 0x28. This value is calculated by the compiler, which ensures that the size is suitable. 

mov DWORD PTR [ebp-12],0x7a69

corresponds to flag = 31337,flag address is equal to ebp-12's value. The address is assigned by the compiler. DWORD corresponds to int.The hexadecimal number 0x7a69 is equivalent to the decimal number 31337.

And 

mov BYTE PTR [ebp-40],0x41

the same as. The hexadecimal number 0x41 is equivalent to the decimal number 65. The decimal value of the ASCII code for the letter A is the decimal number 65. BYTE corresponds to char.

Below code

(gdb) x/16xw $esp
0xbffff7c0: (1)0x00000000 0x08049548 0xbffff7d8 0x08048249
0xbffff7d0: 0xb7f9f729 0xb7fd6ff4 0xbffff808 0x080483b9
0xbffff7e0: 0xb7fd6ff4 (2)0xbffff89c (3)0xbffff808 (4)0x0804838b
0xbffff7f0: (5)0x00000001 0x00000002 0x00000003 0x00000004

Such as 0xbffff7c0: of left code is address,it' value is 0x00000000. So 0xbffff7c4(0xbffff7c4 = 0xbffff7c0 + 4) address's value is 0x08049548, because 0x00000000 occupies 4 bytes. 0xbffff7c8 address's value is 0xbffff7d8. ....



I think below assembler code 

Dump of assembler code for function test_function:
0x08048344 <test_function+0>: push ebp
0x08048345 <test_function+1>: mov ebp,esp
0x08048347 <test_function+3>: sub esp,0x28
0x0804834a <test_function+6>: mov DWORD PTR [ebp-12],0x7a69
0x08048351 <test_function+13>: mov BYTE PTR [ebp-40],0x41
0x08048355 <test_function+17>: leave
0x08048356 <test_function+18>: ret

can convert below code(as @Peter Cordes point that "leave" is equal to "mov esp,ebp" + "pop ebp" see at https://www.felixcloutier.com/x86/leave)

Dump of assembler code for function test_function:
0x08048344 <test_function+0>: push ebp
0x08048345 <test_function+1>: mov ebp,esp
0x08048347 <test_function+3>: sub esp,0x28
0x0804834a <test_function+6>: mov DWORD PTR [ebp-12],0x7a69
0x08048351 <test_function+13>: mov BYTE PTR [ebp-40],0x41
mov esp,ebp // here changed
pop ebp // here changed
0x08048356 <test_function+18>: ret

Local variables are stored in the stack.

So we can get a picture see below:

[![enter image description here][1]][1]


  [1]: https://i.stack.imgur.com/dOrfR.png

</details>