Figure 3: A sample stack displayed by the p option for hackme a bc def, part 2. 5 08048996 corresponds to the point in main that will push the result of process(a) (stored in EAX) on the stack before pushing the format string "***** ANS = %i ***** " and calling printf. 00c4279a corresponds to the point in the operating system code that invoked main and is waiting for it to return. Note that the addresses for user code begin with 0804, which is typical in the programs you will see. · The print_stack program automatically puts dotted lines at the bottom of each frame. But you could insert the dotted lines yourself by looking for transitions between stack addresses (bf...) and user code addresses (0804...). Not all such transitions correspond to frame boundaries (e.g., there no frame boundary at bfffa568 4 or bfffa5b8 in our example) but once the first "real" frame boundary is found at the top of the stack, the linked list structure of frames can be used to find the rest. · The array a, which contains values 5, 10, and 15 (in hex, 05, 0a, and 0f) is at address bfffa5c0. Since a is an argument to both process and getelt, this address appears right below the return addresses for the top two frames. · The arguments to main appear below the return address of the third frame. Even though main was not declared with any arguments in hackme.c, it always takes two arguments: 1. The argument count (usually called argc) is the number of whitespace-delimited strings on the command line. In hackme a bc def, there are four such strings ("hackme", "a", "bc", and "def"), so the argument count is 4 in this case. It is stored at address bfffa5e0. 2. The argument vector (usually called argv) is the address of a null-terminated array of of the strings on the command line. In this case, the array address is bfffa664, which is stored at address bfffa5e4. In figure 3, we see that this address is the beginning of the following null-terminated array: bfffa664: bffff7dd ->hackme bfffa668: bffff7e4 ->a bfffa66c: bffff7e6 ->bc bfffa670: bffff7e9 ->def bfffa674: 00000000 The notation address ->string indicates that the characters of the string string are stored at address address. Indeed, we can verify this in figure 3 by looking further down the stack. For instance, the word at address bffff7dc contains the characters cah^@ (where ^@ is the null character) stored in little endian order. So the byte at byte address bffff7dc is ^@, the byte at bffff7dd is h, the byte at bffff7de is a, and the byte at bffff7df is c. · The stack below the bottommost frame also stores the shell environment, which is represented as a null-terminated array of strings of the form name =value, and the strings in this array. For example, the first shell environment entry, BIBINPUTS=:/home/fturbak/church/lib/bibtex is the string pointer bffff7ed stored at address bfffa678. You should verify that all the characters of this string can indeed be found at address bffff7ed. 4 Actually, the boundary between bfffa588 and 08048857 at address bfffa568 is a frame boundary for the call to print stack itself, and bfffa588 is the address of the base of the first "real" frame.
Posted on: Wed, 04 Sep 2013 14:34:43 +0000
Trending Topics
Recently Viewed Topics
© 2015