问
在多重继承中反汇编虚方法.vtable如何工作?
小秋秋 发布于 2023-01-16 11:26假设以下C++源文件:
#includeclass BaseTest { public: int a; BaseTest(): a(2){} virtual int gB() { return a; }; }; class SubTest: public BaseTest { public: int b; SubTest(): b(4){} }; class TriTest: public BaseTest { public: int c; TriTest(): c(42){} }; class EvilTest: public SubTest, public TriTest { public: virtual int gB(){ return b; } }; int main(){ EvilTest * t2 = new EvilTest; TriTest * t3 = t2; printf("%d\n",t3->gB()); printf("%d\n",t2->gB()); return 0; }
-fdump-class-hierarchy 给我:
[...]
Vtable for EvilTest
EvilTest::_ZTV8EvilTest: 6u entries
0 (int (*)(...))0
8 (int (*)(...))(& _ZTI8EvilTest)
16 (int (*)(...))EvilTest::gB
24 (int (*)(...))-16
32 (int (*)(...))(& _ZTI8EvilTest)
40 (int (*)(...))EvilTest::_ZThn16_N8EvilTest2gBEv
Class EvilTest
size=32 align=8
base size=32 base align=8
EvilTest (0x0x7f1ba98a8150) 0
vptr=((& EvilTest::_ZTV8EvilTest) + 16u)
SubTest (0x0x7f1ba96df478) 0
primary-for EvilTest (0x0x7f1ba98a8150)
BaseTest (0x0x7f1ba982ba80) 0
primary-for SubTest (0x0x7f1ba96df478)
TriTest (0x0x7f1ba96df4e0) 16
vptr=((& EvilTest::_ZTV8EvilTest) + 40u)
BaseTest (0x0x7f1ba982bae0) 16
primary-for TriTest (0x0x7f1ba96df4e0)
反汇编显示:
34 int main(){
0x000000000040076d <+0>: push rbp
0x000000000040076e <+1>: mov rbp,rsp
0x0000000000400771 <+4>: push rbx
0x0000000000400772 <+5>: sub rsp,0x18
35 EvilTest * t2 = new EvilTest;
0x0000000000400776 <+9>: mov edi,0x20
0x000000000040077b <+14>: call 0x400670 <_Znwm@plt>
0x0000000000400780 <+19>: mov rbx,rax
0x0000000000400783 <+22>: mov rdi,rbx
0x0000000000400786 <+25>: call 0x4008a8
0x000000000040078b <+30>: mov QWORD PTR [rbp-0x18],rbx
36
37 TriTest * t3 = t2;
0x000000000040078f <+34>: cmp QWORD PTR [rbp-0x18],0x0
0x0000000000400794 <+39>: je 0x4007a0
0x0000000000400796 <+41>: mov rax,QWORD PTR [rbp-0x18]
0x000000000040079a <+45>: add rax,0x10
0x000000000040079e <+49>: jmp 0x4007a5
0x00000000004007a0 <+51>: mov eax,0x0
0x00000000004007a5 <+56>: mov QWORD PTR [rbp-0x20],rax
38
39 printf("%d\n",t3->gB());
0x00000000004007a9 <+60>: mov rax,QWORD PTR [rbp-0x20]
0x00000000004007ad <+64>: mov rax,QWORD PTR [rax]
0x00000000004007b0 <+67>: mov rax,QWORD PTR [rax]
0x00000000004007b3 <+70>: mov rdx,QWORD PTR [rbp-0x20]
0x00000000004007b7 <+74>: mov rdi,rdx
0x00000000004007ba <+77>: call rax
0x00000000004007bc <+79>: mov esi,eax
0x00000000004007be <+81>: mov edi,0x400984
0x00000000004007c3 <+86>: mov eax,0x0
0x00000000004007c8 <+91>: call 0x400640
40 printf("%d\n",t2->gB());
0x00000000004007cd <+96>: mov rax,QWORD PTR [rbp-0x18]
0x00000000004007d1 <+100>: mov rax,QWORD PTR [rax]
0x00000000004007d4 <+103>: mov rax,QWORD PTR [rax]
0x00000000004007d7 <+106>: mov rdx,QWORD PTR [rbp-0x18]
0x00000000004007db <+110>: mov rdi,rdx
0x00000000004007de <+113>: call rax
0x00000000004007e0 <+115>: mov esi,eax
0x00000000004007e2 <+117>: mov edi,0x400984
0x00000000004007e7 <+122>: mov eax,0x0
0x00000000004007ec <+127>: call 0x400640
41 return 0;
0x00000000004007f1 <+132>: mov eax,0x0
42 }
0x00000000004007f6 <+137>: add rsp,0x18
0x00000000004007fa <+141>: pop rbx
0x00000000004007fb <+142>: pop rbp
0x00000000004007fc <+143>: ret
现在您已经有足够的时间从第一个代码块中的致命钻石中恢复,实际问题.
当t3->gB()调用时,我看到以下disas(t3是类型TriTest,gB()是虚方法EvilTest::gB()):
0x00000000004007a9 <+60>: mov rax,QWORD PTR [rbp-0x20] 0x00000000004007ad <+64>: mov rax,QWORD PTR [rax] 0x00000000004007b0 <+67>: mov rax,QWORD PTR [rax] 0x00000000004007b3 <+70>: mov rdx,QWORD PTR [rbp-0x20] 0x00000000004007b7 <+74>: mov rdi,rdx 0x00000000004007ba <+77>: call rax
第一个mov将vtable移动到rax中,下一个取消引用它(现在我们在vtable中)
之后的那个取消引用,以获得指向该函数的指针,并在该粘贴的底部进行call编辑.
到目前为止这么好,但这带来了一些问题.
在哪里this?
我假设this是rdi通过mov+在+70和+74加载,但这与vtable是相同的指针,这意味着它是一个指向一个TriTest不应该有SubTestsb成员的类的指针.linux thiscall约定是否处理被调用方法中的虚拟转换而不是外部?
罗德里戈在这里回答了这个问题
如何反汇编虚拟方法?
如果我知道这一点,我可以自己回答上一个问题.disas EvilTest::gB给我:
Cannot reference virtual member function "gB"
在call运行info reg rax和disas唱歌之前设置断点给了我:
(gdb) info reg rax rax 0x4008a1 4196513 (gdb) disas 0x4008a14196513 No function contains specified address. (gdb) disas *0x4008a14196513 Cannot access memory at address 0x4008a14196513
为什么vtable(显然)距离彼此只有8个字节?
的fdump说,有在第一和第二之间的16个字节&vtable(这符合64位指针和2个整数),但dissasembly从第二gB()呼叫是:
0x00000000004007cd <+96>: mov rax,QWORD PTR [rbp-0x18] 0x00000000004007d1 <+100>: mov rax,QWORD PTR [rax] 0x00000000004007d4 <+103>: mov rax,QWORD PTR [rax] 0x00000000004007d7 <+106>: mov rdx,QWORD PTR [rbp-0x18] 0x00000000004007db <+110>: mov rdi,rdx 0x00000000004007de <+113>: call rax
[rbp-0x18]离前一个调用([rbp-0x20])只有8个字节.这是怎么回事?
在评论中回答了500
我忘了对象是堆分配的,只有它们的指针在堆栈上
撰写答案
今天,你开发时遇到什么问题呢?
立即提问
京公网安备 11010802041100号