[ EliteSecurity @ 16.09.2005. 17:14 ] @
Pazite ovaj source: Code: #include <stdio.h> void change_ret() { char bug[5]; int *ret=(int *)(bug + 12); ret +=26; } void main() { change_ret(); printf ("Ovo radi ili ne radi\n"); exit(0); } (gdb) disas main Dump of assembler code for function main: 0x080483c7 <main+0>: push %ebp 0x080483c8 <main+1>: mov %esp,%ebp 0x080483ca <main+3>: sub $0x8,%esp 0x080483cd <main+6>: and $0xfffffff0,%esp 0x080483d0 <main+9>: mov $0x0,%eax 0x080483d5 <main+14>: add $0xf,%eax 0x080483d8 <main+17>: add $0xf,%eax 0x080483db <main+20>: shr $0x4,%eax 0x080483de <main+23>: shl $0x4,%eax 0x080483e1 <main+26>: sub %eax,%esp 0x080483e3 <main+28>: call 0x80483b0 <change_ret> 0x080483e8 <main+33>: sub $0xc,%esp 0x080483eb <main+36>: push $0x80484a8 0x080483f0 <main+41>: call 0x80482cc 0x080483f5 <main+46>: add $0x10,%esp 0x080483f8 <main+49>: sub $0xc,%esp 0x080483fb <main+52>: push $0x0 0x080483fd <main+54>: call 0x80482ec 0x08048402 <main+59>: nop 0x08048403 <main+60>: nop End of assembler dump. (gdb) (gdb) disas change_ret Dump of assembler code for function change_ret: 0x080483b0 <change_ret+0>: push %ebp 0x080483b1 <change_ret+1>: mov %esp,%ebp 0x080483b3 <change_ret+3>: sub $0x10,%esp 0x080483b6 <change_ret+6>: lea 0xfffffff7(%ebp),%eax 0x080483b9 <change_ret+9>: add $0xc,%eax 0x080483bc <change_ret+12>: mov %eax,0xfffffffc(%ebp) 0x080483bf <change_ret+15>: lea 0xfffffffc(%ebp),%eax 0x080483c2 <change_ret+18>: addl $0x68,(%eax) 0x080483c5 <change_ret+21>: leave 0x080483c6 <change_ret+22>: ret End of assembler dump. (gdb) Zasto nece da skrene tok izvrsavanja programa, kad sam lepo izracunao da ret treba da se pomeri za 26??? |