我想用C语言修改函数的返回值,就是main-》a-》b然后b修改栈中的返回地址直接跳回main函数
#include<stdio.h>
extern int main();
int b(unsigned int a){
unsigned int i = 0;
printf("b start\n");
printf("address[%p] , value[0x%x]\n",(&i - 3),*(&i - 3));
*(&i -3) = a;
printf("address[%p] , value[0x%x]\n",(&i - 3),*(&i - 3));
printf("b end\n");
return 0;
}
int a() {
unsigned int a = 1;
printf("a start\n");
printf("address[%p] , value[0x%x]\n",(&a - 1),*(&a-1));
printf("address[%p] , value[0x%x]\n",(&a - 2),*(&a-2));
printf("address[%p] , value[0x%x]\n",(&a - 3),*(&a-3));
b(*(&a - 3));
printf("a end \n");
return 1;
}
int main() {
printf("a %p\n",a);
printf("main %p\n",main);
a();
printf("main end\n");
return 0;
}
------解决方案--------------------------------------------------------
b修改栈中的返回地址直接跳回main函数
b哪里修改了?
------解决方案--------------------------------------------------------
C语言本身有提供这样的功能吗?用汇编搞搞试试呢
------解决方案--------------------------------------------------------
看一下编译时加GS没
------解决方案--------------------------------------------------------
先看下汇编b(*(&a - 3));&a-3是不是main的返回值,而且在b中没有看到你对他的修改
------解决方案--------------------------------------------------------
仅供参考
#include <stdio.h>
#include <setjmp.h>
jmp_buf mark;
int i=0;
void c() {
printf( "c in\n");
if (1==i%2) longjmp( mark, i );
printf( "c out\n");
}
void b() {
printf( "b in\n");
c();
printf( "b out\n");
}
void a() {
printf( "a in\n");
b();
printf( "a out\n");
}
void main( void )
{
int jmpret;
jmpret = setjmp( mark );
printf( "Start %d\n",jmpret);
if( jmpret == 0 ) {
printf( "First\n");
a();
i++;
a();
} else {
printf( "Second\n");
}
}
//Start 0
//First
//a in
//b in
//c in
//c out
//b out
//a out
//a in
//b in
//c in
//Start 1
//Second
//
------解决方案--------------------------------------------------------
2次ebp,是为了16字节对齐
3*4比较靠谱些
------解决方案--------------------------------------------------------