250 likes | 324 Views
Stack Usage. with MS Visual Studio 2005. Without Stack Protection. Before call to DoIt. Registers EAX = 00000001 EBX = 00000000 ECX = 781425FB EDX = 781C3C58 ESI = 78142560 EDI = 781775FC EIP = 004010EE ESP = 0013FF40 EBP = 0013FFC0 EFL = 00000296. Stack before call to DoIt.
E N D
Stack Usage with MS Visual Studio 2005
Before call to DoIt • Registers • EAX = 00000001 • EBX = 00000000 • ECX = 781425FB • EDX = 781C3C58 • ESI = 78142560 • EDI = 781775FC • EIP = 004010EE • ESP = 0013FF40 • EBP = 0013FFC0 • EFL = 00000296
Stack before call to DoIt ESP 0013FF40 local variables argc argv EBP 0013FFC0
Calling DoIt DoIt(szBuffer, iLength, iSize, iWhat,iWhere,iHow); 004010EE mov eax,dword ptr [esp+18h] 004010F2 mov ecx,dword ptr [esp+1Ch] 004010F6 mov edx,dword ptr [esp+24h] 004010FA mov esi,dword ptr [esp+28h] 004010FE push eax 004010FF push ecx 00401100 mov ecx,dword ptr [esp+28h] 00401104 lea ebx,[esp+34h] 00401108 call DoIt (401000h) 0040110D add esp,14h 00401110 pop edi 00401111 pop esi
Registers before calling DoIt • EAX = 00000005 • EBX = 0013FF6C • ECX = 00000003 • EDX = 00000002 • ESI = 00000001 • EDI = 781775FC • EIP = 00401108 • ESP = 0013FF38 • EBP = 0013FFC0 • EFL = 00000296
Stack after call to Doit Return address Two variables pushed on stack
DoIt Deassembled void DoIt( char * szBuffer, int iLength, int iSize, int iWhat, int iWhere, int iHow) { 00401000 push ebp iSize = iSize + iLength; 00401001 add edx,esi 00401003 xor eax,eax 00401005 push edi 00401006 lea edi,[eax+0Fh] 00401009 lea esp,[esp]
DoIt Deassembled for(int i=0; i<15; i++) { iSize += i*iLength*iWhat++; 00401010 mov ebp,eax 00401012 imul ebp,ecx 00401015 add edx,ebp 00401017 add ecx,1 0040101A add eax,esi 0040101C sub edi,1 0040101F jne DoIt+10h (401010h) }
DoIt Deassembled char * myChar = szBuffer; while(*myChar) { 00401021 cmp byte ptr [ebx],0 00401024 pop edi 00401025 mov eax,ebx 00401027 pop ebp 00401028 je DoIt+3Bh (40103Bh) 0040102A lea ebx,[szBuffer] *(myChar++)+=0x01; 00401030 add byte ptr [eax],1 00401033 add eax,1 00401036 cmp byte ptr [eax],0 00401039 jne DoIt+30h (401030h) }
DoIt Deassembled printf("Doit called with %i, %i, %i, %s, %i, %i \n",iLength, iSize, iWhat, szBuffer, iWhere, iHow); 0040103B mov eax,dword ptr [esp+8] 0040103F push eax 00401040 mov eax,dword ptr [esp+8] 00401044 push eax 00401045 push ebx 00401046 push ecx 00401047 push edx 00401048 push esi 00401049 push offset string "Doit called with %i, %i, %i, %s"... (4020F4h) 0040104E call dword ptr [__imp__printf (4020A4h)] 00401054 add esp,1Ch } 00401057 ret
Prologue • Prologue • Create security cookie • Push ebx and esi int _tmain(int argc, _TCHAR* argv[]) { 00401060 sub esp,24h 00401063 mov eax,dword ptr [___security_cookie (403000h)] 00401068 xor eax,esp 0040106A mov dword ptr[esp+20h],eax 0040106E push ebx 0040106F push esi
Stack Before Calling DoIt esp ebp
Stack Before Calling DoIt esp 0013FF3C Local variables on stack. Notice the sparse layout ebp 0013FFC0
Preparation for calling DoIt DoIt(szBuffer, iLength, iSize, iWhat,iWhere,iHow); 004010F9 mov eax,dword ptr [esp+28h] 004010FD mov ecx,dword ptr [esp+20h] 00401101 mov edx,dword ptr [esp+1Ch] 00401105 mov esi,dword ptr [esp+24h] 00401109 push eax 0040110A push ecx 0040110B mov ecx,dword ptr [esp+20h] 0040110F lea ebx,[esp+34h] 00401113 call DoIt (401000h)
Stack after call to doit esp 0013FF30 Return Address Two variables passed on stack ebp 0013FFC0
Register contents • Register used to pass remaining variables • EAX = 00000008 • EBX = 0013FF68 (address of string) • ECX = 00000006 • EDX = 00000005 • ESI = 00000004 • EDI = 781775FC • EIP = 00401000 • ESP = 0013FF30 • EBP = 0013FFC0 • EFL = 00000296
Call of DoIt void DoIt( char * szBuffer, int iLength, int iSize, int iWhat, int iWhere, int iHow) { 00401000 push ebp iSize = iSize + iLength; 00401001 add edx,esi 00401003 xor eax,eax 00401005 push edi 00401006 lea edi,[eax+0Fh] 00401009 lea esp,[esp]
Call of Doit (cont) for(int i=0; i<15; i++) { iSize += i*iLength*iWhat++; 00401010 mov ebp,eax 00401012 imul ebp,ecx 00401015 add edx,ebp 00401017 add ecx,1 0040101A add eax,esi 0040101C sub edi,1 0040101F jne DoIt+10h (401010h) }
Call of Doit (cont) char * myChar = szBuffer; while(*myChar) { 00401021 cmp byte ptr [ebx],0 00401024 pop edi 00401025 mov eax,ebx 00401027 pop ebp 00401028 je DoIt+3Bh (40103Bh) 0040102A lea ebx,[szBuffer]
Call of Doit (cont) *(myChar++)+=0x01; 00401030 add byte ptr [eax],1 00401033 add eax,1 00401036 cmp byte ptr [eax],0 00401039 jne DoIt+30h (401030h) }
Call of Doit (cont) *(myChar++)+=0x01; 00401030 add byte ptr [eax],1 00401033 add eax,1 00401036 cmp byte ptr [eax],0 00401039 jne DoIt+30h (401030h) }
Call of Doit (cont) printf("Doit called with %i, %i, %i, %s, %i, %i \n",iLength, iSize, iWhat, szBuffer, iWhere, iHow); 0040103B mov eax,dword ptr [esp+8] 0040103F push eax 00401040 mov eax,dword ptr [esp+8] 00401044 push eax 00401045 push ebx 00401046 push ecx 00401047 push edx 00401048 push esi 00401049 push offset string "Doit called with %i, %i, %i, %s"... (402104h) 0040104E call dword ptr [__imp__printf (4020A4h)] 00401054 add esp,1Ch } 00401057 ret
tmain epilogue return 0; } 00401118 mov ecx,dword ptr [esp+48h] 0040111C add esp,14h 0040111F pop edi 00401120 pop esi 00401121 pop ebx 00401122 xor ecx,esp 00401124 xor eax,eax 00401126 call __security_check_cookie (40112Fh) 0040112B add esp,2Ch 0040112E ret