$ gcc -v
Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/3.2.3/specs
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --enable-shared --enable-threads=posix --disable-checking --with-system-zlib --enable-__cxa_atexit --host=i386-redhat-linux
Thread model: posix
gcc version 3.2.3 20030502 (Red Hat Linux 3.2.3-24)

$ gdb -v
GNU gdb Red Hat Linux (6.0post-0.20031117.6rh)
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu".

$ uname -a
Linux candy 2.4.21-9.EL #1 Thu Jan 8 17:03:13 EST 2004 i686 athlon i386 GNU/Linux

/************
* a.c
************/
void function(void)
{
char buffer[5];
int* ret;

ret=buffer+28;
(*ret)+=10;
}

void main()
{
int x;

x=0;
function();

x=1;
printf("%d\n",x);

return;
}
/*end*/

ret=buffer+28;
(*ret)+=10;
中的28 和 10

$gcc -g -o a a.c //加上-g 用来在gdb中调试

$gdb a
(gdb)disas main //得到反汇编代码 如下:
Dump of assembler code for function main:
0x08048366 <main+0>: push %ebp
0x08048367 <main+1>: mov %esp,%ebp
0x08048369 <main+3>: sub $0x8,%esp
0x0804836c <main+6>: and $0xfffffff0,%esp
0x0804836f <main+9>: mov $0x0,%eax
0x08048374 <main+14>: sub %eax,%esp
0x08048376 <main+16>: movl $0x0,0xfffffffc(%ebp)
0x0804837d <main+23>: call 0x8048348 <function>
0x08048382 <main+28>: movl $0x1,0xfffffffc(%ebp)
0x08048389 <main+35>: sub $0x8,%esp
0x0804838c <main+38>: pushl 0xfffffffc(%ebp)
0x0804838f <main+41>: push $0x8048474
0x08048394 <main+46>: call 0x8048288
0x08048399 <main+51>: add $0x10,%esp
0x0804839c <main+54>: leave
0x0804839d <main+55>: ret
End of assembler dump.

(gdb)disas function
Dump of assembler code for function function:
0x08048348 <function+0>: push %ebp
0x08048349 <function+1>: mov %esp,%ebp
0x0804834b <function+3>: sub $0x28,%esp
0x0804834e <function+6>: lea 0xffffffe8(%ebp),%eax
0x08048351 <function+9>: add $0x1c,%eax
0x08048354 <function+12>: mov %eax,0xffffffe4(%ebp)
0x08048357 <function+15>: mov 0xffffffe4(%ebp),%edx
0x0804835a <function+18>: mov 0xffffffe4(%ebp),%eax
0x0804835d <function+21>: mov (%eax),%eax
0x0804835f <function+23>: add $0xa,%eax
0x08048362 <function+26>: mov %eax,(%edx)
0x08048364 <function+28>: leave
0x08048365 <function+29>: ret
End of assembler dump.

(gdb) l //显示源代码(因为编译时用了 -g 参数)
5
6 ret=buffer+28;
7 (*ret)+=10;
8 }
9
10 void main()
11 {
12 int x;
13
14 x=0;

(gdb)b 6 // 在关键处下断点 观察内存的值
Breakpoint 1 at 0x804834e: file a.c, line 6.
(gdb)b 7
Breakpoint 2 at 0x8048357: file a.c, line 7.
(gdb)r
Breakpoint 1, function () at rr.c:6
6 ret=buffer+28;
(gdb)i reg //观察寄存器的值 (注意ebp esp eip)
eax 0x0 0
ecx 0xbffff01c -1073745892
edx 0xbfffefa0 -1073746016
ebx 0xb75d4e58 -1218621864
esp 0xbfffef50 0xbfffef50
ebp 0xbfffef78 0xbfffef78
esi 0xbffff014 -1073745900
edi 0xb75d273c -1218631876
eip 0x804834e 0x804834e
eflags 0x200286 2097798
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x33 51

(gdb)x/20x $esp
0xbfffef50: 0x080483a0 0x08049564 0xbfffef68 0x08048265
0xbfffef60: 0x00000000 0x00000000 0xbfffef88 0x080483ba
0xbfffef70: 0xb74ca4f3 0xb75d4e58 0xbfffef88 0x08048382
0xbfffef80: 0xb7600020 0x00000000 0xbfffefe8 0xb74b5748
0xbfffef90: 0x00000001 0xbffff014 0xbffff01c 0x00000000

(gdb)n
(gdb)n //之后我们可以看到 0x08048382 变成了 0x0804838c

(gdb)c
Continuing.
0

Program exited with code 02.