I am reading Smashing The Stack For Fun And Profit.
When the author uses x86 assembly codes to illustrate the execve() behavior, he says:
0x80002bc <__execve>: pushl %ebp
0x80002bd <__execve+1>: movl %esp,%ebp
0x80002bf <__execve+3>: pushl %ebx
The procedure prelude.
0x80002c0 <__execve+4>: movl $0xb,%eax
Copy 0xb (11 decimal) onto the stack. This is the index into the
syscall table. 11 is execve.
0x80002c5 <__execve+9>: movl 0x8(%ebp),%ebx
Copy the address of "/bin/sh" into EBX.
0x80002c8 <__execve+12>: movl 0xc(%ebp),%ecx
Copy the address of name[] into ECX.
0x80002cb <__execve+15>: movl 0x10(%ebp),%edx
Copy the address of the null pointer into %edx.
0x80002ce <__execve+18>: int $0x80
Change into kernel mode.
------------------------------------------------------------------------------
So as we can see there is not much to the execve() system call. All we need
to do is:
a) Have the null terminated string "/bin/sh" somewhere in memory.
b) Have the address of the string "/bin/sh" somewhere in memory
followed by a null long word.
c) Copy 0xb into the EAX register.
d) Copy the address of the address of the string "/bin/sh" into the
EBX register.
e) Copy the address of the string "/bin/sh" into the ECX register.
f) Copy the address of the null long word into the EDX register.
g) Execute the int $0x80 instruction.
He says, copy the address of the address of the string into EBX register and copy the address of the string into ECX register.
However, the assembly codes movl 0x8(%ebp),%ebx and movl 0xc(%ebp),%ecx suggest that the address of the string is copied to EBX and the address of the address is copied to ECX. This seems to be the opposite of the authors' summary.
Is there anything I understand wrongly?
