void f() {
char a[4];
int *b;
b = a + 0x8;
(*b) += 0x8;
}
main() {
int x;
x = 0;
f();
x = 1;
printf("%d\n", x);
}
If you take a look at the disassembly for your main function
and trace it in gdb, you will see why:
0x8048400 in f ()
(gdb)
0x8048401 in f ()
(gdb)
0x804841e in main () // goes to this addres in main
(gdb) disas main
Dump of assembler code for function main:
0x8048404 <main>: push %ebp
0x8048405 <main+1>: mov %esp,%ebp
0x8048407 <main+3>: sub $0x18,%esp
0x804840a <main+6>: movl $0x0,0xfffffffc(%ebp)
0x8048411 <main+13>: call 0x80483e4 <f>
0x8048416 <main+18>: movl $0x1,0xfffffffc(%ebp)
// and as you can see there is no such address in main
0x804841d <main+25>: add $0xfffffff8,%esp
0x8048420 <main+28>: mov 0xfffffffc(%ebp),%eax
0x8048423 <main+31>: push %eax
0x8048424 <main+32>: push $0x8048490
0x8048429 <main+37>: call 0x8048300 <printf>
0x804842e <main+42>: add $0x10,%esp
0x8048431 <main+45>: leave
0x8048432 <main+46>: ret
0x8048433 <main+47>: nop
0x8048434 <main+48>: nop
So in order to do what you want it to do, you have to
make it land on 0x804841d instead. Try it out.
--
Nasko Oskov - CS Major SIGMil CoChair
College of Engineering UIUC CS31337 TA
"You think your computer is secure? Think again!!!"
This archive was generated by hypermail 2b30 : Tue Apr 09 2002 - 10:28:23 PDT