CODEWITHSUNDEEP
cassemblygdb
Florian Pasquereau
Florian Pasquereau

Reputation: 132

GDB and asm 32 bytes

for my school i'm doing a security project. The first steep is from the binary, find the c code source.

I have one problem here, this is the asm code from the school binary with GDB: Main:

   0x0804853f <+0>: push   ebp
   0x08048540 <+1>: mov    ebp,esp
   0x08048542 <+3>: and    esp,0xfffffff0
   0x08048545 <+6>: call   0x80484d4 <p>
   0x0804854a <+11>:    leave
   0x0804854b <+12>:    ret

func P:

   0x080484d4 <+0>: push   ebp
   0x080484d5 <+1>: mov    ebp,esp
   0x080484d7 <+3>: sub    esp,0x68
   0x080484da <+6>: mov    eax,ds:0x8049860
   0x080484df <+11>:    mov    DWORD PTR [esp],eax
   0x080484e2 <+14>:    call   0x80483b0 <fflush@plt>
   0x080484e7 <+19>:    lea    eax,[ebp-0x4c]
   0x080484ea <+22>:    mov    DWORD PTR [esp],eax
   0x080484ed <+25>:    call   0x80483c0 <gets@plt>
   0x080484f2 <+30>:    mov    eax,DWORD PTR [ebp+0x4]
   0x080484f5 <+33>:    mov    DWORD PTR [ebp-0xc],eax
   0x080484f8 <+36>:    mov    eax,DWORD PTR [ebp-0xc]
   0x080484fb <+39>:    and    eax,0xb0000000
   0x08048500 <+44>:    cmp    eax,0xb0000000
   0x08048505 <+49>:    jne    0x8048527 <p+83>
   0x08048507 <+51>:    mov    eax,0x8048620
   0x0804850c <+56>:    mov    edx,DWORD PTR [ebp-0xc]
   0x0804850f <+59>:    mov    DWORD PTR [esp+0x4],edx
   0x08048513 <+63>:    mov    DWORD PTR [esp],eax
   0x08048516 <+66>:    call   0x80483a0 <printf@plt>
   0x0804851b <+71>:    mov    DWORD PTR [esp],0x1
   0x08048522 <+78>:    call   0x80483d0 <_exit@plt>
   0x08048527 <+83>:    lea    eax,[ebp-0x4c]
   0x0804852a <+86>:    mov    DWORD PTR [esp],eax
   0x0804852d <+89>:    call   0x80483f0 <puts@plt>
   0x08048532 <+94>:    lea    eax,[ebp-0x4c]
   0x08048535 <+97>:    mov    DWORD PTR [esp],eax
   0x08048538 <+100>:   call   0x80483e0 <strdup@plt>
   0x0804853d <+105>:   leave
   0x0804853e <+106>:   ret

I have no idee where the line p+30 from because ebp+4 mean the variable from before the stack of the func P but P have no parameter...

Have you got a idea where this variable from? and how can i get her ? Actualy this is my source.c It's wrong close to the gets thx :)

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
//gcc -fno-stack-protector -z execstack -Wl,-z,norelro -m32 source.c

void                p(void)
{
    char            str[0x40]
    void            *ptr;

    fflush(stdin);
    ptr = gets(str);;
    if (((unsigned int)ptr & 0xb0000000) == 0xb0000000)
    {
        printf("(%p)\n", ptr);
        exit(0x1);
    }
    puts(str);
    strdup(str);
}

int             main(int argc, char **argv)
{
    p();
}

Upvotes: 0

Views: 206

Answers (1)

Peter Cordes
Peter Cordes

Reputation: 365737

After making a stack frame, [ebp+0x4] is the return address. On function entry, args start at [esp+4], which becomes [esp+8] after you push ebp. Thus, with a stack frame, the first arg would be at [ebp+8].

To get a compiler to emit something like that asm for p, you'd need to use something like the GNU C __builtin_return_address extension.

#include <stdint.h>

void foo(void) {
    uintptr_t ptr = (uintptr_t)__builtin_return_address(0);
    // 0 means current function's ret addr.
    // higher numbers backtrace up the call stack.
}

There's also a __builtin_frame_address...

Upvotes: 2

Related Questions