3

My very simple tested program

#include<stdio.h>
#include<stdlib.h>

int main()
{
int a = 12345;
printf("%d\n", a);

system("PAUSE");
return 0;

}

After compiled and connected,the EXE file is created.Then I open the EXE file in the Ollydbg: OllyDbg

The picture shows the main() function.But I can't find out what the address of the variable a is. When passing the params to the printf() function,it push 3039 into the stack, then it means the value of the variable a is 3039? No,the value is 12345. So it means the address of the variable a is 00003039? Anyone

Ari0nhh
  • 5,720
  • 3
  • 28
  • 33
freedomwings
  • 85
  • 10

4 Answers4

3

Address of the a variable is [ebp-8]. You are seeing 0x3039 assignment, because decimal 12345 is hexadecimal 0x3039. If you change your code to use hex value: int a = 0x12345, results would be more clear: IDA results

Numeric constants are usually compiled directly into the code.

Ari0nhh
  • 5,720
  • 3
  • 28
  • 33
0

so you want to know the address of the variable a.

Extremely simple:

insert this statement into your program.

printf( "address of variable 'a' is: %p\n", &a );

How are we to know the address?

We are not sitting at your computer

and it will be different on most every computer.

Use the suggested call to printf() to learn the 'address'

HOWEVER, due to paging, address translation, virtual addressing, etc. That address is NOT the actual physical address within your computers' memory space.

user3629249
  • 16,402
  • 1
  • 16
  • 17
0

local variables like in this case, a, are stored in the stack, so they can be discarded when a function execution is finished, so basically a is simply located at the memory address of the local stack frame.

int a = 12345; // MOV DWORD PTR SS:[EBP-8], 3039
printf("%d\n", a);

in this case, a is located in [EBP-8], if you inspect where it is pointing, you can see the value 3039, stored in there of course after the assignment, 3039 is a hex number, which of course 12345 in base 10.

rcd
  • 112
  • 1
  • 4
0

To get better understanding of this, let's modify the program a little bit and debug it in GDB.

C:\Codes>gdb test -q
Reading symbols from C:\Codes\test.exe...done.
(gdb) set disassembly-flavor intel
(gdb) list
1       #include<stdio.h>
2
3       int main()
4       {
5         int a = 12345;
6         int b = 0x12345;
7         printf("Variable a %d (decimal) or  0x%x (hex), located at %p or 0x%x\n", a,a,&a,&a);
8         printf("Variable b %d (decimal) or 0x%x (hex), located at %p or 0x%x\n", b,b,&b,&b);
9         return 0;
10      }
(gdb)

Standard Output

C:\Codes>test
Variable a 12345 (decimal) or  0x3039 (hex), located at 0022FF4C or 0x22ff4c
Variable b 74565 (decimal) or 0x12345 (hex), located at 0022FF48 or 0x22ff48

As you can see, the virtual memory addresses of variable a and b is actually located at 0x22ff4c and 0x22ff48 respectively.

Let's take a look at this program in GDB.

(gdb) break 7
Breakpoint 1 at 0x40135e: file test.c, line 7.
(gdb) run
Starting program: C:\Codes/test.exe
[New Thread 3680.0xed8]

Breakpoint 1, main () at test.c:7
7         printf("Variable a %d (decimal) or  0x%x (hex), located at %p or 0x%x\n", a,a,&a,&a);
(gdb) disassemble
Dump of assembler code for function main:
   0x00401340 <+0>:     push   ebp
   0x00401341 <+1>:     mov    ebp,esp
   0x00401343 <+3>:     and    esp,0xfffffff0
   0x00401346 <+6>:     sub    esp,0x30
   0x00401349 <+9>:     call   0x401970 <__main>
   0x0040134e <+14>:    mov    DWORD PTR [esp+0x2c],0x3039
   0x00401356 <+22>:    mov    DWORD PTR [esp+0x28],0x12345
=> 0x0040135e <+30>:    mov    edx,DWORD PTR [esp+0x2c]
   0x00401362 <+34>:    mov    eax,DWORD PTR [esp+0x2c]
   0x00401366 <+38>:    lea    ecx,[esp+0x2c]
   0x0040136a <+42>:    mov    DWORD PTR [esp+0x10],ecx
   0x0040136e <+46>:    lea    ecx,[esp+0x2c]
   0x00401372 <+50>:    mov    DWORD PTR [esp+0xc],ecx
   0x00401376 <+54>:    mov    DWORD PTR [esp+0x8],edx
   0x0040137a <+58>:    mov    DWORD PTR [esp+0x4],eax
   0x0040137e <+62>:    mov    DWORD PTR [esp],0x403024
   0x00401385 <+69>:    call   0x401be0 <printf>
   0x0040138a <+74>:    mov    edx,DWORD PTR [esp+0x28]
   0x0040138e <+78>:    mov    eax,DWORD PTR [esp+0x28]
   0x00401392 <+82>:    lea    ecx,[esp+0x28]
   0x00401396 <+86>:    mov    DWORD PTR [esp+0x10],ecx
   0x0040139a <+90>:    lea    ecx,[esp+0x28]
   0x0040139e <+94>:    mov    DWORD PTR [esp+0xc],ecx
   0x004013a2 <+98>:    mov    DWORD PTR [esp+0x8],edx
   0x004013a6 <+102>:   mov    DWORD PTR [esp+0x4],eax
   0x004013aa <+106>:   mov    DWORD PTR [esp],0x403064
   0x004013b1 <+113>:   call   0x401be0 <printf>
   0x004013b6 <+118>:   mov    eax,0x0
   0x004013bb <+123>:   leave
   0x004013bc <+124>:   ret
End of assembler dump.
(gdb)

And focus on this line

   0x0040134e <+14>:    mov    DWORD PTR [esp+0x2c],0x3039
   0x00401356 <+22>:    mov    DWORD PTR [esp+0x28],0x12345

As you can see from the previous output, the virtual memory address of variables a and b is actually located at [esp+0x2c] or 0x22ff4c and [esp+0x28] or 0x22ff48 respectively.

while

0x3039 & 0x12345 are the value of variables a and b in hexadecimal.

To verify the memory address of these variables in GDB, use print command as follows:

(gdb) print &a
$1 = (int *) 0x22ff4c

(gdb) print &b
$2 = (int *) 0x22ff48

Also, you might wonder where the address of 0x22ff4c or 0x22ff48 come from.

To understand this, let's check the value of current ESP register

(gdb) info registers esp
esp            0x22ff20 0x22ff20

Then, replace the actual ESP value

[esp+0x2c] = [0x22ff20 + 0x2c] = 0x22ff4c
[esp+0x28] = [0x22ff20 + 0x28] = 0x22ff48
Charlotte Russell
  • 1,355
  • 1
  • 13
  • 16