ytlvy · October 7, 2015 13:01
diff --git a/getRsp b/getRsp
 //
 //  main.m
 //  debug
 //
 //  Created by piao on 15/7/20.
 //  Copyright (c) 2015年 piao. All rights reserved.
 //
 
 #import <Foundation/Foundation.h>
 
 __attribute__((naked)) uint64_t getRbp()
 {
    __asm__("mov %rbp, %rax\n\n\r"
            "ret");
 }
 
 // 嘿嘿，shellcode经常用到滴...
 __attribute__((naked)) uint64_t getRip()
 {
    __asm__("call 0f\n\n\r"
            "0:pop %rax\n\n\r"
            //"sub $5, %rax\n\n\r"   // 减去指令长度
            "ret");
 }
 
 __attribute__((naked)) uint64_t getRsp()
 {
    __asm__("mov %rsp, %rax\n\n\r"
            "ret");
 }
 
 void piaoyun(){
 
    NSLog(@"[++++]一层返回 = %llx", getRip() - 5);
    NSLog(@"[++++]二层返回 = %llx", *(uint64_t *)(getRbp() + 0x8));
     
 }
 
 int main(int argc, const char * argv[]) {
    @autoreleasepool {
        piaoyun();
    }
    return 0;
 }
	//
	// main.m
	// debug
	//
	// Created by piao on 15/7/20.
	// Copyright (c) 2015年 piao. All rights reserved.
	//

	#import <Foundation/Foundation.h>

	__attribute__((naked)) uint64_t getRbp()
	{
	__asm__("mov %rbp, %rax\n\n\r"
	"ret");
	}

	// 嘿嘿，shellcode经常用到滴...
	__attribute__((naked)) uint64_t getRip()
	{
	__asm__("call 0f\n\n\r"
	"0:pop %rax\n\n\r"
	//"sub $5, %rax\n\n\r" // 减去指令长度
	"ret");
	}

	__attribute__((naked)) uint64_t getRsp()
	{
	__asm__("mov %rsp, %rax\n\n\r"
	"ret");
	}

	void piaoyun(){

	NSLog(@"[++++]一层返回 = %llx", getRip() - 5);
	NSLog(@"[++++]二层返回 = %llx", (uint64_t )(getRbp() + 0x8));

	}

	int main(int argc, const char * argv[]) {
	@autoreleasepool {
	piaoyun();
	}
	return 0;
	}