// Titolo: dati per la creazione del tutorial "Stack in azione" Pag.02
// Autore: Saio
// Data: Marzo 2005
// Tools: Linux mandrake 8.2 su Pentium 166mmx con 128MB di ram (acquistato nel 1997)
//

// modifica del ret a partire da buffer1
/////////////////////////////////////////
void function(int a, int b, int c) {
 char buffer1[5];
 char buffer2[10];
 int *k;

 printf("buffer1= %p\n",buffer1);
 printf("buffer2= %p\n",buffer2);
 k=buffer1+28;
 *k=0x8048255;
}

void main(){
 int x;

 x=0;
 function (1,2,3);
 x=1;
 printf("\n%d\n\n",x);
}
////////////////////////////////////////

[root@localhost phrack-49]# gcc -static example3-saio.c -o example3-saio
[root@localhost phrack-49]# gdb example3-saio
GNU gdb 5.1.1
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-mandrake-linux"...
(gdb) disassemble main
Dump of assembler code for function main:
0x8048230 <main>:       push   %ebp
0x8048231 <main+1>:     mov    %esp,%ebp
0x8048233 <main+3>:     sub    $0x8,%esp
0x8048236 <main+6>:     movl   $0x0,0xfffffffc(%ebp)
0x804823d <main+13>:    sub    $0x4,%esp
0x8048240 <main+16>:    push   $0x3
0x8048242 <main+18>:    push   $0x2
0x8048244 <main+20>:    push   $0x1
0x8048246 <main+22>:    call   0x80481e0 <function>
0x804824b <main+27>:    add    $0x10,%esp
0x804824e <main+30>:    movl   $0x1,0xfffffffc(%ebp)
0x8048255 <main+37>:    sub    $0x8,%esp
0x8048258 <main+40>:    pushl  0xfffffffc(%ebp)
0x804825b <main+43>:    push   $0x80921a2
0x8048260 <main+48>:    call   0x8048720 <printf>
0x8048265 <main+53>:    add    $0x10,%esp
0x8048268 <main+56>:    mov    %ebp,%esp
0x804826a <main+58>:    pop    %ebp
0x804826b <main+59>:    ret
0x804826c <main+60>:    lea    0x0(%esi,1),%esi
End of assembler dump.
(gdb) disassemble function
Dump of assembler code for function function:
0x80481e0 <function>:   push   %ebp
0x80481e1 <function+1>: mov    %esp,%ebp
0x80481e3 <function+3>: sub    $0x38,%esp
0x80481e6 <function+6>: sub    $0x8,%esp
0x80481e9 <function+9>: lea    0xffffffe8(%ebp),%eax
0x80481ec <function+12>:        push   %eax
0x80481ed <function+13>:        push   $0x8092188
0x80481f2 <function+18>:        call   0x8048720 <printf>
0x80481f7 <function+23>:        add    $0x10,%esp
0x80481fa <function+26>:        sub    $0x8,%esp
0x80481fd <function+29>:        lea    0xffffffd8(%ebp),%eax
0x8048200 <function+32>:        push   %eax
0x8048201 <function+33>:        push   $0x8092195
0x8048206 <function+38>:        call   0x8048720 <printf>
0x804820b <function+43>:        add    $0x10,%esp
0x804820e <function+46>:        lea    0xffffffe8(%ebp),%eax
0x8048211 <function+49>:        add    $0x1c,%eax
0x8048214 <function+52>:        mov    %eax,0xffffffd4(%ebp)
0x8048217 <function+55>:        mov    0xffffffd4(%ebp),%eax
0x804821a <function+58>:        movl   $0x8048255,(%eax)
0x8048220 <function+64>:        mov    %ebp,%esp
0x8048222 <function+66>:        pop    %ebp
---Type <return> to continue, or q <return> to quit---
0x8048223 <function+67>:        ret
0x8048224 <function+68>:        lea    0x0(%esi),%esi
0x804822a <function+74>:        lea    0x0(%edi),%edi
End of assembler dump.
(gdb) break *0x80481e1
Breakpoint 1 at 0x80481e1
(gdb) break *0x80481e3
Breakpoint 2 at 0x80481e3
(gdb) break *0x80481e6
Breakpoint 3 at 0x80481e6
(gdb) run
Starting program: /home/saio/Desktop/buffer/phrack-49/example3-saio

Breakpoint 1, 0x080481e1 in function ()
(gdb) info registers
eax            0xbffff9ec       -1073743380
ecx            0x80480b4        134512820
edx            0x80a7c08        134904840
ebx            0x8092160        134816096
esp            0xbffff958       0xbffff958
ebp            0xbffff978       0xbffff978
esi            0xbffff9e4       -1073743388
edi            0x1      1
eip            0x80481e1        0x80481e1
eflags         0x296    662
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
---Type <return> to continue, or q <return> to quit---
fop            0x0      0
xmm0           0xffffffffffffffffffffffffffffffff
xmm1           0xffffffffffffffffffffffffffffffff
xmm2           0xffffffffffffffffffffffffffffffff
xmm3           0xffffffffffffffffffffffffffffffff
xmm4           0xffffffffffffffffffffffffffffffff
xmm5           0xffffffffffffffffffffffffffffffff
xmm6           0xffffffffffffffffffffffffffffffff
xmm7           0xffffffffffffffffffffffffffffffff
mxcsr          0x1f80   8064
(gdb) continue
Continuing.

Breakpoint 2, 0x080481e3 in function ()
(gdb) info registers
eax            0xbffff9ec       -1073743380
ecx            0x80480b4        134512820
edx            0x80a7c08        134904840
ebx            0x8092160        134816096
esp            0xbffff958       0xbffff958
ebp            0xbffff958       0xbffff958
esi            0xbffff9e4       -1073743388
edi            0x1      1
eip            0x80481e3        0x80481e3
eflags         0x296    662
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
---Type <return> to continue, or q <return> to quit---
fop            0x0      0
xmm0           0xffffffffffffffffffffffffffffffff
xmm1           0xffffffffffffffffffffffffffffffff
xmm2           0xffffffffffffffffffffffffffffffff
xmm3           0xffffffffffffffffffffffffffffffff
xmm4           0xffffffffffffffffffffffffffffffff
xmm5           0xffffffffffffffffffffffffffffffff
xmm6           0xffffffffffffffffffffffffffffffff
xmm7           0xffffffffffffffffffffffffffffffff
mxcsr          0x1f80   8064
(gdb) continue
Continuing.

Breakpoint 3, 0x080481e6 in function ()
(gdb) info registers
eax            0xbffff9ec       -1073743380
ecx            0x80480b4        134512820
edx            0x80a7c08        134904840
ebx            0x8092160        134816096
esp            0xbffff920       0xbffff920
ebp            0xbffff958       0xbffff958
esi            0xbffff9e4       -1073743388
edi            0x1      1
eip            0x80481e6        0x80481e6
eflags         0x282    642
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
---Type <return> to continue, or q <return> to quit---
fop            0x0      0
xmm0           0xffffffffffffffffffffffffffffffff
xmm1           0xffffffffffffffffffffffffffffffff
xmm2           0xffffffffffffffffffffffffffffffff
xmm3           0xffffffffffffffffffffffffffffffff
xmm4           0xffffffffffffffffffffffffffffffff
xmm5           0xffffffffffffffffffffffffffffffff
xmm6           0xffffffffffffffffffffffffffffffff
xmm7           0xffffffffffffffffffffffffffffffff
mxcsr          0x1f80   8064
(gdb) continue
Continuing.
buffer1= 0xbffff940
buffer2= 0xbffff930

0

(gdb)q

// modifica del ret a partire da buffer2
/////////////////////////////////////////
void function(int a, int b, int c) {
 char buffer1[5];
 char buffer2[10];
 int *k;

 printf("buffer1= %p\n",buffer1);
 printf("buffer2= %p\n",buffer2);
 k=buffer2+44;
 *k=0x8048255;
}

void main(){
 int x;

 x=0;
 function (1,2,3);
 x=1;
 printf("\n%d\n\n",x);
}
////////////////////////////////////////

[root@localhost phrack-49]# gdb example3-saio
(gdb) break *0x80481e3
Breakpoint 1 at 0x80481e3
(gdb) break *0x80481e6
Breakpoint 2 at 0x80481e6
(gdb) break *0x80481e9
Breakpoint 3 at 0x80481e9
(gdb) run
Starting program: /home/saio/Desktop/buffer/phrack-49/example3-saio

Breakpoint 1, 0x080481e3 in function ()
(gdb) continue
Continuing.

Breakpoint 2, 0x080481e6 in function ()
(gdb) continue
Continuing.

Breakpoint 3, 0x080481e9 in function ()
(gdb) continue
Continuing.
buffer1= 0xbffff940
buffer2= 0xbffff930

0

(gdb) continue