1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

question about i686 architecture

Discussion in 'Ethical hacking' started by jacksmash, Feb 24, 2010.

  1. jacksmash

    jacksmash New Member

    Feb 22, 2010
    Likes Received:
    Trophy Points:

    I'm hoping someone can help me with this.

    The command `uname -r` gives the following output on my machine:

    Linux ***-ubuntu 2.6.31-14-generic #48-Ubuntu SMP Fri Oct 16 14:04:26 UTC 2009 i686 GNU/Linux
    (Note: I am running Ubuntu 9.04 on VirtualBox)

    Here is some code that I am trying to run:

    #include <stdio.h>
    void function(int a, int b, int c) {
      char buffer1[5];
      char buffer2[10];
      int *ret;
      ret = (int *)buffer1 + 16;
      (*ret) += 7; // have checked to make sure we need 7 bytes to skip x=1;
    void main() {
      int x;
      x = 0;
      x = 1;
    The goal of the above code is to skip the instruction `x = 1;`, and so the output of the printf statement should be "0".

    However, in order to do that I need to know precisely how much to increment the return pointer in "function". This is where I'm a bit stuck.

    I have been reading an article that has been somewhat helpful on ethicalhacker, it has helped me to understand that the `(*ret) += 7;` statement is likely correct.

    Here is an assembly dump of the main function:

    (gdb) disassemble main
    Dump of assembler code for function main:
    0x08048404 <main+0>:	push   %ebp
    0x08048405 <main+1>:	mov    %esp,%ebp
    0x08048407 <main+3>:	sub    $0x10,%esp
    0x0804840a <main+6>:	movl   $0x0,-0x4(%ebp)
    0x08048411 <main+13>:	movl   $0x3,0x8(%esp)
    0x08048419 <main+21>:	movl   $0x2,0x4(%esp)
    0x08048421 <main+29>:	movl   $0x1,(%esp)
    0x08048428 <main+36>:	call   0x80483e4 <function>
    [B]0x0804842d <main+41>:	movl   $0x1,-0x4(%ebp)[/B] <-- [I]the instruction to skip[/I]
    0x08048434 <main+48>:	mov    $0x8048510,%eax
    0x08048439 <main+53>:	mov    -0x4(%ebp),%edx
    0x0804843c <main+56>:	mov    %edx,0x4(%esp)
    0x08048440 <main+60>:	mov    %eax,(%esp)
    0x08048443 <main+63>:	call   0x804831c <printf@plt>
    0x08048448 <main+68>:	leave  
    0x08048449 <main+69>:	ret    
    End of assembler dump.
    Since we want to skip the statement at 0x0804842d and get to 0x08048434, we can calculate the difference to by 7 bytes easily enough. Hence, that's why I know it's correct to increment the ret pointer by 7.

    What I can't figure out for the life of me is how many bytes have been allocated on the stack.

    The memory layout should be like this:

    bottom of                                                                                    top of
    memory                                                                                       memory
                                  buffer2     buffer1     sfp     ret 
    <------                    [            ][           ][     ][     ]
    top of                                                                                        bottom of
    stack                                                                                         stack
    My best guess is from this line:

    0x08048407 <main+3>:	sub    $0x10,%esp
    ... which suggests 16 bytes have been allocated, hence: `ret = (int *)buffer1 + 16;`

    But, compiling and executing the program does not result in skipping the x=1 command.

    So, I'm not asking anyone to tell me what the answer is (believe it or not). in terms of what the right number is. Rather, I'm hoping that someone can point me in the right direction so I can understand the stack layout on the machine.

    Hope this makes sense. Thanks for any advice!!

Share This Page