x64 调用约定

作者: _invincible_ | 来源:发表于2020-03-23 23:26 被阅读0次

各主流处理器与系统平台的ABI和函数调用约定
x64 调用约定
64位逆向分析
寻址相关
调用约定
调用约定
11-27函数
函数调用约定
函数调用约定
函数调用约定

概述

记录一个小实验，演示x64参数如何传递的

结论

func( a, b, c, d, e, f, g ,h )  

RCX: 0x64 ('d')
RDX: 0x63 ('c')
RSI: 0x62 ('b')
RDI: 0x61 ('a')

R8 : 0x65 ('e')
R9 : 0x66 ('f')

RBP: 0x7fffffffde00 --> 0x4005c0 (<__libc_csu_init>:    push   r15)
RSP: 0x7fffffffddf0 --> 0x67 ('g')

[------------------------------------stack-------------------------------------]
0000| 0x7fffffffddf0 --> 0x67 ('g')
0008| 0x7fffffffddf8 --> 0x68 ('h')

# 先push 'h' 后push 'g'

演示

/*
64位函数传参实验
*/

#include <stdio.h>

int func(int a1, int b2, int c3, int d4, int e5, int f6, int g7, int h8){
    printf("%d\n", a1+b2+c3+d4+e5+f6+g7+h8);
    return 0;
}

int main(){
    func('a', 'b', 'c', 'd', 'e', 'f', 'g', 'h');
    return 0;
}

/*
Dump of assembler code for function main:
   0x0000000000400580 <+0>: push   rbp
   0x0000000000400581 <+1>: mov    rbp,rsp
=> 0x0000000000400584 <+4>: push   0x68
   0x0000000000400586 <+6>: push   0x67
   0x0000000000400588 <+8>: mov    r9d,0x66
   0x000000000040058e <+14>:    mov    r8d,0x65
   0x0000000000400594 <+20>:    mov    ecx,0x64
   0x0000000000400599 <+25>:    mov    edx,0x63
   0x000000000040059e <+30>:    mov    esi,0x62
   0x00000000004005a3 <+35>:    mov    edi,0x61
   0x00000000004005a8 <+40>:    call   0x400526 <func>
   0x00000000004005ad <+45>:    add    rsp,0x10
   0x00000000004005b1 <+49>:    mov    eax,0x0
   0x00000000004005b6 <+54>:    leave  
   0x00000000004005b7 <+55>:    ret    
End of assembler dump.

gdb-peda$ c
Continuing.

[----------------------------------registers-----------------------------------]
...
RCX: 0x64 ('d')
RDX: 0x63 ('c')
RSI: 0x62 ('b')
RDI: 0x61 ('a')

RBP: 0x7fffffffde00 --> 0x4005c0 (<__libc_csu_init>:    push   r15)
RSP: 0x7fffffffddf0 --> 0x67 ('g')

RIP: 0x4005a8 (<main+40>:   call   0x400526 <func>)

R8 : 0x65 ('e')
R9 : 0x66 ('f')
...
[-------------------------------------code-------------------------------------]
   0x400599 <main+25>:  mov    edx,0x63
   0x40059e <main+30>:  mov    esi,0x62
   0x4005a3 <main+35>:  mov    edi,0x61
=> 0x4005a8 <main+40>:  call   0x400526 <func>
   0x4005ad <main+45>:  add    rsp,0x10
   0x4005b1 <main+49>:  mov    eax,0x0
   0x4005b6 <main+54>:  leave  
   0x4005b7 <main+55>:  ret
...
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffddf0 --> 0x67 ('g')
0008| 0x7fffffffddf8 --> 0x68 ('h')
0016| 0x7fffffffde00 --> 0x4005c0 (<__libc_csu_init>:   push   r15)
0024| 0x7fffffffde08 --> 0x7ffff7a2d830 (<__libc_start_main+240>:   mov    edi,eax)
0032| 0x7fffffffde10 --> 0x1 
0040| 0x7fffffffde18 --> 0x7fffffffdee8 --> 0x7fffffffe266 ("/home/invincible/Desktop/test/64")
0048| 0x7fffffffde20 --> 0x1f7ffcca0 
0056| 0x7fffffffde28 --> 0x400580 (<main>:  push   rbp)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 2, 0x00000000004005a8 in main () at 64_param_demo.c:13
13      func('a', 'b', 'c', 'd', 'e', 'f', 'g', 'h');
gdb-peda$ 

*/