0

I'm now taking the coursera course and I have a question about one of the readings.

Link: http://insecure.org/stf/smashstack.html

0x8000490 <main>:       pushl  %ebp
0x8000491 <main+1>:     movl   %esp,%ebp
0x8000493 <main+3>:     subl   $0x4,%esp
0x8000496 <main+6>:     movl   $0x0,0xfffffffc(%ebp)
0x800049d <main+13>:    pushl  $0x3
0x800049f <main+15>:    pushl  $0x2
0x80004a1 <main+17>:    pushl  $0x1
0x80004a3 <main+19>:    call   0x8000470 <function>
0x80004a8 <main+24>:    addl   $0xc,%esp
0x80004ab <main+27>:    movl   $0x1,0xfffffffc(%ebp)
0x80004b2 <main+34>:    movl   0xfffffffc(%ebp),%eax
0x80004b5 <main+37>:    pushl  %eax
0x80004b6 <main+38>:    pushl  $0x80004f8
0x80004bb <main+43>:    call   0x8000378 <printf>
0x80004c0 <main+48>:    addl   $0x8,%esp
0x80004c3 <main+51>:    movl   %ebp,%esp
0x80004c5 <main+53>:    popl   %ebp
0x80004c6 <main+54>:    ret
0x80004c7 <main+55>:    nop

We can see that when calling function() the RET will be 0x8004a8, and we want to jump past the assignment at 0x80004ab. The next instruction we want to execute is the at 0x8004b2. A little math tells us the distance is 8 bytes.

As it says, what we need to do is to assign RET with the value 0x8004b2. Obviously, the distance would be 10, because 0x8004b2 minus 0x8004a8 equals 10.

How could it be 8 bytes? where am I wrong?

Michael Petch
  • 46,082
  • 8
  • 107
  • 198
boyang zhang
  • 9
  • @PeterCordes : don't see how that applies here. 8 seems plain wrong. The add afterwards is 3 bytes, the next mov is 7 bytes. Seems like a difference of 10 decimal if you want to skip by the add and first mov to land on the second mov – Michael Petch Dec 19 '17 at 03:19
  • @Michael Petch So I'm correct about this issue? – boyang zhang Dec 19 '17 at 03:33
  • From my perspective if the intent is to jump to the second mov then what you say seems correct to me. Maybe I am missing something obvious. 8 bytes makes little sense to me personally. – Michael Petch Dec 19 '17 at 03:35
  • Maybe I a m misunderstanding what they intended here. Did they want to replace the Add instruction with a JMP instruction or did the intend to modify the return address of the call to return to the beginning of the second move. I assume this was about altering the return address. – Michael Petch Dec 19 '17 at 03:42
  • @Michael Petch here is the source code:void main() { int x; x = 0; function(1,2,3); x = 1; printf("%d\n",x); } – boyang zhang Dec 19 '17 at 03:45
  • @Michael Petch: it intends to skip by the assignment to x and reach the next printf directly – boyang zhang Dec 19 '17 at 03:47
  • 1
    My belief is that the article is just wrong and it should be 10. – Michael Petch Dec 19 '17 at 03:51
  • @Michael Petch thx for your time. – boyang zhang Dec 19 '17 at 03:56
  • While 10 (0xA) seems to be correct, it would skip the adjustment of the stack pointer after the call, which, to me, seems like a dangerous thing to do. – Rudy Velthuis Dec 19 '17 at 17:18

0 Answers0