Stack usage
Download
1 / 25

Stack Usage - PowerPoint PPT Presentation


  • 58 Views
  • Uploaded on

Stack Usage. with MS Visual Studio 2005. Without Stack Protection. Before call to DoIt. Registers EAX = 00000001 EBX = 00000000 ECX = 781425FB EDX = 781C3C58 ESI = 78142560 EDI = 781775FC EIP = 004010EE ESP = 0013FF40 EBP = 0013FFC0 EFL = 00000296. Stack before call to DoIt.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Stack Usage' - jarrod-eaton


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Stack usage

Stack Usage

with MS Visual Studio 2005



Before call to doit
Before call to DoIt

  • Registers

    • EAX = 00000001

    • EBX = 00000000

    • ECX = 781425FB

    • EDX = 781C3C58

    • ESI = 78142560

    • EDI = 781775FC

    • EIP = 004010EE

    • ESP = 0013FF40

    • EBP = 0013FFC0

    • EFL = 00000296


Stack before call to doit
Stack before call to DoIt

ESP

0013FF40

local variables

argc

argv

EBP

0013FFC0


Calling doit
Calling DoIt

DoIt(szBuffer, iLength, iSize, iWhat,iWhere,iHow);

004010EE mov eax,dword ptr [esp+18h]

004010F2 mov ecx,dword ptr [esp+1Ch]

004010F6 mov edx,dword ptr [esp+24h]

004010FA mov esi,dword ptr [esp+28h]

004010FE push eax

004010FF push ecx

00401100 mov ecx,dword ptr [esp+28h]

00401104 lea ebx,[esp+34h]

00401108 call DoIt (401000h)

0040110D add esp,14h

00401110 pop edi

00401111 pop esi


Registers before calling doit
Registers before calling DoIt

  • EAX = 00000005

  • EBX = 0013FF6C

  • ECX = 00000003

  • EDX = 00000002

  • ESI = 00000001

  • EDI = 781775FC

  • EIP = 00401108

  • ESP = 0013FF38

  • EBP = 0013FFC0

  • EFL = 00000296


Stack after call to doit
Stack after call to Doit

Return address

Two variables pushed on stack


Doit deassembled
DoIt Deassembled

void DoIt( char * szBuffer, int iLength, int iSize, int iWhat, int iWhere, int iHow) {

00401000 push ebp

iSize = iSize + iLength;

00401001 add edx,esi

00401003 xor eax,eax

00401005 push edi

00401006 lea edi,[eax+0Fh]

00401009 lea esp,[esp]


Doit deassembled1
DoIt Deassembled

for(int i=0; i<15; i++) {

iSize += i*iLength*iWhat++;

00401010 mov ebp,eax

00401012 imul ebp,ecx

00401015 add edx,ebp

00401017 add ecx,1

0040101A add eax,esi

0040101C sub edi,1

0040101F jne DoIt+10h (401010h)

}


Doit deassembled2
DoIt Deassembled

char * myChar = szBuffer;

while(*myChar) {

00401021 cmp byte ptr [ebx],0

00401024 pop edi

00401025 mov eax,ebx

00401027 pop ebp

00401028 je DoIt+3Bh (40103Bh)

0040102A lea ebx,[szBuffer]

*(myChar++)+=0x01;

00401030 add byte ptr [eax],1

00401033 add eax,1

00401036 cmp byte ptr [eax],0

00401039 jne DoIt+30h (401030h)

}


Doit deassembled3
DoIt Deassembled

printf("Doit called with %i, %i, %i, %s, %i, %i \n",iLength, iSize, iWhat, szBuffer, iWhere, iHow);

0040103B mov eax,dword ptr [esp+8]

0040103F push eax

00401040 mov eax,dword ptr [esp+8]

00401044 push eax

00401045 push ebx

00401046 push ecx

00401047 push edx

00401048 push esi

00401049 push offset string "Doit called with %i, %i, %i, %s"... (4020F4h)

0040104E call dword ptr [__imp__printf (4020A4h)]

00401054 add esp,1Ch

}

00401057 ret



Prologue
Prologue

  • Prologue

    • Create security cookie

    • Push ebx and esi

int _tmain(int argc, _TCHAR* argv[])

{

00401060 sub esp,24h

00401063 mov eax,dword ptr [___security_cookie (403000h)]

00401068 xor eax,esp

0040106A mov dword ptr[esp+20h],eax

0040106E push ebx

0040106F push esi



Stack before calling doit1
Stack Before Calling DoIt

esp

0013FF3C

Local variables on stack.

Notice the sparse layout

ebp

0013FFC0


Preparation for calling doit
Preparation for calling DoIt

DoIt(szBuffer, iLength, iSize, iWhat,iWhere,iHow);

004010F9 mov eax,dword ptr [esp+28h]

004010FD mov ecx,dword ptr [esp+20h]

00401101 mov edx,dword ptr [esp+1Ch]

00401105 mov esi,dword ptr [esp+24h]

00401109 push eax

0040110A push ecx

0040110B mov ecx,dword ptr [esp+20h]

0040110F lea ebx,[esp+34h]

00401113 call DoIt (401000h)


Stack after call to doit1
Stack after call to doit

esp

0013FF30

Return Address

Two variables passed on stack

ebp

0013FFC0


Register contents
Register contents

  • Register used to pass remaining variables

    • EAX = 00000008

    • EBX = 0013FF68 (address of string)

    • ECX = 00000006

    • EDX = 00000005

    • ESI = 00000004

    • EDI = 781775FC

    • EIP = 00401000

    • ESP = 0013FF30

    • EBP = 0013FFC0

    • EFL = 00000296


Call of doit
Call of DoIt

void DoIt( char * szBuffer, int iLength, int iSize, int iWhat, int iWhere, int iHow) {

00401000 push ebp

iSize = iSize + iLength;

00401001 add edx,esi

00401003 xor eax,eax

00401005 push edi

00401006 lea edi,[eax+0Fh]

00401009 lea esp,[esp]


Call of doit cont
Call of Doit (cont)

for(int i=0; i<15; i++) {

iSize += i*iLength*iWhat++;

00401010 mov ebp,eax

00401012 imul ebp,ecx

00401015 add edx,ebp

00401017 add ecx,1

0040101A add eax,esi

0040101C sub edi,1

0040101F jne DoIt+10h (401010h)

}


Call of doit cont1
Call of Doit (cont)

char * myChar = szBuffer;

while(*myChar) {

00401021 cmp byte ptr [ebx],0

00401024 pop edi

00401025 mov eax,ebx

00401027 pop ebp

00401028 je DoIt+3Bh (40103Bh)

0040102A lea ebx,[szBuffer]


Call of doit cont2
Call of Doit (cont)

*(myChar++)+=0x01;

00401030 add byte ptr [eax],1

00401033 add eax,1

00401036 cmp byte ptr [eax],0

00401039 jne DoIt+30h (401030h)

}


Call of doit cont3
Call of Doit (cont)

*(myChar++)+=0x01;

00401030 add byte ptr [eax],1

00401033 add eax,1

00401036 cmp byte ptr [eax],0

00401039 jne DoIt+30h (401030h)

}


Call of doit cont4
Call of Doit (cont)

printf("Doit called with %i, %i, %i, %s, %i, %i \n",iLength, iSize, iWhat, szBuffer, iWhere, iHow);

0040103B mov eax,dword ptr [esp+8]

0040103F push eax

00401040 mov eax,dword ptr [esp+8]

00401044 push eax

00401045 push ebx

00401046 push ecx

00401047 push edx

00401048 push esi

00401049 push offset string "Doit called with %i, %i, %i, %s"... (402104h)

0040104E call dword ptr [__imp__printf (4020A4h)]

00401054 add esp,1Ch

}

00401057 ret


Tmain epilogue
tmain epilogue

return 0;

}

00401118 mov ecx,dword ptr [esp+48h]

0040111C add esp,14h

0040111F pop edi

00401120 pop esi

00401121 pop ebx

00401122 xor ecx,esp

00401124 xor eax,eax

00401126 call __security_check_cookie (40112Fh)

0040112B add esp,2Ch

0040112E ret