For example
1 #include<stdio.h> 2 int test_num; 3 void func(int *p) 4 { 5 p = &test_num; 6 } 7 int main(void) 8 { 9 int *p; 10 func(p); 11 *p = 1000; 12 return 0; 13 }
Run out of core
Disassembly:
gcc -S t3.c -o t3.s
.file "t3.c" .comm test_num,4,4 .text .globl func .type func, @function func: .LFB0: .cfi_startproc pushq %rbp .cfi_def_cfa_offset 16 .cfi_offset 6, -16 movq %rsp, %rbp .cfi_def_cfa_register 6 movq %rdi, -24(%rbp) movq $test_num, -8(%rbp) popq %rbp .cfi_def_cfa 7, 8 ret .cfi_endproc .LFE0: .size func, .-func .globl main .type main, @function main: .LFB1: .cfi_startproc pushq %rbp .cfi_def_cfa_offset 16 .cfi_offset 6, -16 movq %rsp, %rbp .cfi_def_cfa_register 6 subq $16, %rsp movq -8(%rbp), %rax movq %rax, %rdi call func movq -8(%rbp), %rax movl $1000, (%rax) movl $0, %eax leave .cfi_def_cfa 7, 8 ret .cfi_endproc .LFE1: .size main, .-main .ident "GCC: (Ubuntu 4.8.4-2ubuntu1~14.04.4) 4.8.4" .section .note.GNU-stack,"",@progbits
Before the main function call func:
movq - 8 (RBP%),% rax
movl $ 1000 (% rax)
An obvious mistake, the contents of ebp 4 bytes of content moving to the currently esp pointed, in fact, made a copy of * p, the use for the func function;
after calling the function func:
movq $ test_num, - 8 (% rbp)
so, func function operation only * p copy, the copy store the first address of a.
After ret back to the main function, a variable is assigned the value 100, main function in the * p, is not known, because only a copy of it to know.
Change Source:
1 #include<stdio.h> 2 int test_num; 3 void func(int **p) 4 { 5 *p = &test_num; 6 } 7 int main(void) 8 { 9 int *p; 10 func(&p); 11 *p = 1000; 12 return 0; 13 }
Disassembly process:
1 .file "t3.c" 2 .comm test_num,4,4 3 .text 4 .globl func 5 .type func, @function 6 func: 7 .LFB0: 8 .cfi_startproc 9 pushq %rbp 10 .cfi_def_cfa_offset 16 11 .cfi_offset 6, -16 12 movq %rsp, %rbp 13 .cfi_def_cfa_register 6 14 movq %rdi, -8(%rbp) 15 movq -8(%rbp), %rax 16 movq $test_num, (%rax) 17 popq %rbp 18 .cfi_def_cfa 7, 8 19 ret 20 .cfi_endproc 21 .LFE0: 22 .size func, .-func 23 .globl main 24 .type main, @function 25 main: 26 .LFB1: 27 .cfi_startproc 28 pushq %rbp 29 .cfi_def_cfa_offset 16 30 .cfi_offset 6 - 16 31 movq% RSP,% RBP 32 .cfi_def_cfa_register 6 33 subq $ 16 ,% RSP 34 leaq - 8 (RBP%),% see a 35 movq% seen fit,% RDI 36 call func 37 movq - 8 (RBP%),% see a 38 movl $ 1000 , (% see a) 39 movl $ 0 ,% eax 40 leave 41 .cfi_def_cfa 7, 8 42 ret 43 .cfi_endproc 44 .LFE1: 45 .size main, .-main 46 .ident "GCC: (Ubuntu 4.8.4-2ubuntu1~14.04.4) 4.8.4" 47 .section .note.GNU-stack,"",@progbits
We can see there is a change
In other words, as a copy function func for the use of the contents of ebp is not the next four bytes, but the content in the address pointed to (ie mian function * p address).