Hi, darko,
~/tmp/qqq$ cat > qqq.c
void f() {
char a[4];
int *b;
b = a + 0x8;
(*b) += 0x8;
}
main() {
int x;
x = 0;
f();
x = 1;
printf("%d\n", x);
}
~/tmp/qqq$ gcc -c qqq.c
qqq.c: In function `f':
qqq.c:4: warning: assignment from incompatible pointer type
~/tmp/qqq$ objdump -d qqq.o
qqq.o: file format elf32-i386
Disassembly of section .text:
00000000 <f>:
0: 55 push %ebp
(...)
00000020 <main>:
20: 55 push %ebp
21: 89 e5 mov %esp,%ebp
23: 83 ec 18 sub $0x18,%esp
26: c7 45 fc 00 00 00 00 movl $0x0,0xfffffffc(%ebp)
2d: e8 fc ff ff ff call 2e <main+0xe>
32: c7 45 fc 01 00 00 00 movl $0x1,0xfffffffc(%ebp)
(...)
1 2 3 4 5 6 7
The movl instruction you try to skip is 7, not 8, bytes long. The fourth
line of f() should read:
(*b) += 7;
Regards,
JKl'
On Mon, Apr 08, 2002 at 11:21:01PM +0200, darko wrote:
> Hi all,
>
> I've started to study buffer overflows. I wrote the following code:
>
> void f() {
> char a[4];
> int *b;
> b = a + 0x8;
> (*b) += 0x8;
> }
>
> main() {
> int x;
> x = 0;
> f();
> x = 1;
> printf("%d\n", x);
> }
>
> I want, after the call to f(), the program jump to printf() so the value of x
> should remain 0, not 1. I always get segmentation faults, bus errors, etc.
> and never that fuc*ing "x = 0" !!
> Tested on a Celeron 433, red hat 7.2, gcc 2.96.
>
> byez
> darko
This archive was generated by hypermail 2b30 : Tue Apr 09 2002 - 11:18:20 PDT