Complete the stack frame given the following assembly code when eip starts at 0x

Question

Complete the stack frame given the following assembly code when eip starts at 0x401A45 and ends at 0x4019B4. Make sure to fill in the stack addresses that are not already complete and any other blank space. Given: esp = 0x12F00, ebp = 0x12F04 when eip = 0x401A45 Func0 00401A45 8B 55 0C mov edx, [ebp+0Ch] 00401A48 52 push edx,00401A49 8B 49 8B 45 08 mov eax, [ebp + B] 00401A4C 50 push eax 00401A4D E8 4E FF FF FF call Funcl 00401A52 83 C4 10 add esp, 8 Fuc1: 004019A0 55 push ebp 004019A1 8B EC mov ebp, esp 004019A3 83 EC 08 sub esp, 8 09 004019A6 C7 45 F8 00 00 00 00 mov [ebp - 8], 0 004019AD C7 45 FC 00 00 00 00 nov [ebp - 4], 123Fh 004019B4 What is the address of Func1? _______ Show how the assembler calculated the offset for the call to Func1. You do not have to do the math Why do we add 8 to esp at address 0x401A52? _________ Why do we subtract 8 at address 0x4019A3? _______ What is the value of ebp when eip =0x401 9B4? _______

Explanation / Answer

int main (int argc, char** argv) {
func();

return 0;
}
void func() {
char buf[5];
gets(buf);
}
Saved registers:
ebx at 0xffffd1cc, ebp at 0xffffd1d0, eip at 0xffffd1d4
disas func
Dump of assembler code for function func:
0x56555730 <+0>: push %ebp
0x56555731 <+1>: mov %esp,%ebp
0x56555733 <+3>: push %ebx
0x56555734 <+4>: sub $0x8,%esp
0x56555737 <+7>: call 0x5655576e <__x86.get_pc_thunk.ax>
0x5655573c <+12>: add $0x18c4,%eax
=> 0x56555741 <+17>: lea -0x9(%ebp),%edx
0x56555744 <+20>: push %edx
0x56555745 <+21>: mov %eax,%ebx
0x56555747 <+23>: call 0x56555590 <gets@plt>
0x5655574c <+28>: add $0x4,%esp
0x5655574f <+31>: nop
0x56555750 <+32>: mov -0x4(%ebp),%ebx
0x56555753 <+35>: leave
0x56555754 <+36>: ret
End of assembler dump.
void func() {
char buf[5];
strcpy(buf, "AAAA");
printf("%s",buf);
}
(gdb) info frame
Stack level 0, frame at 0xffffd1d8:
eip = 0x56555741 in func (/home/mischa/stuff/test/test.c:35); saved eip = 0x56555779
called by frame at 0xffffd1e0
source language c.
Arglist at 0xffffd1d0, args:
Locals at 0xffffd1d0, Previous frame's sp is 0xffffd1d8
Saved registers:
ebx at 0xffffd1cc, ebp at 0xffffd1d0, eip at 0xffffd1d4
(gdb) disas func
Dump of assembler code for function func:
0x56555730 <+0>: push %ebp
0x56555731 <+1>: mov %esp,%ebp
0x56555733 <+3>: push %ebx
0x56555734 <+4>: sub $0x8,%esp
0x56555737 <+7>: call 0x56555780 <__x86.get_pc_thunk.ax>
0x5655573c <+12>: add $0x18c4,%eax
=> 0x56555741 <+17>: movl $0x41414141,-0x9(%ebp)
0x56555748 <+24>: movb $0x0,-0x5(%ebp)
0x5655574c <+28>: lea -0x9(%ebp),%edx
0x5655574f <+31>: push %edx
0x56555750 <+32>: lea -0x17f0(%eax),%edx
0x56555756 <+38>: push %edx
0x56555757 <+39>: mov %eax,%ebx
0x56555759 <+41>: call 0x565555a0 <printf@plt>
0x5655575e <+46>: add $0x8,%esp
0x56555761 <+49>: nop
0x56555762 <+50>: mov -0x4(%ebp),%ebx
0x56555765 <+53>: leave
0x56555766 <+54>: ret
End of assembler dump.
cmake_minimum_required (VERSION 2.8)

# projectname is the same as the main-executable
project(test)

# compile with 32 bit
add_definitions('-m32')

# Disable compiler optimization
add_definitions('-O0')

# include debugging information
add_definitions('-g')

# Align items on the stack to 4 bytes. This makes stuff easier.
# See https://stackoverflow.com/questions/1061818/stack-allocation-padding-and-alignment
add_definitions('-mpreferred-stack-boundary=2')

# disable compiler buffer overflow protection
add_definitions('-z execstack -z norelro -fno-stack-protector')

# executable source code
add_executable(test test.c)

Related Questions

Navigate

• Browse (All)
• Browse C
• Subjects

---

---

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.