C++ : Change Stack Address

Posted on 2006-11-06
Last Modified: 2012-05-05
I have doing a school project.. Stack Overrun.

I have a address of: 00401D00

I managed to find the last pointer.
Now i intend to write the pointer to the address.
Any idea?

My lecture notes somehow using perl..
converted "\x28\x13\x40" to an address: 401328

Please advice.
Question by:darence
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
LVL 12

Expert Comment

ID: 17886709
what are you exactly trying to do ?

Expert Comment

ID: 17887310
you have to use assembly language to achieve the result and it is not recommended to do so except in very very rare cases. eg exception handling where the language does not provide support for it. another is code related to powering on and off. another one is inside a debugger. and you have to be ***extremely*** careful of what you are doing because the return address of/to the caller code is stored on the stack. even main() gets called from somewhere else. i hope that is enough of a warning/discouragement to avoid the usage. anyways here is one way to do it. it is in MSVC environment and for x86 based processors.
void foo() {
  // some code
  int my_esp = 0x00401328; // assuming short is 16 bits
  __asm mov esp, tmp_esp;

Author Comment

ID: 17887319
I am trying to get the find the return address, change the address to some place.
In this case, its 00401D00.

I managed to find the return address, except how to point it to 00401D00.
Think need to find the assembly language to point to 00401D00.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Expert Comment

ID: 17891265
Sorry, I misunderstood the question.
Ok, so you want to change the return address that is stored on the stack to 0x00401D00. First thing that you would need to do is find where the ret addr for current function is stored, i.e. the location on stack which stores IP where we would go after exiting current function if we don't fiddle with it manually. Then you store 0x00401D00 to that location. free up any dynamic memory that you need to. and return.

Author Comment

ID: 17899030
Dear jhshukla..
How can i "store" 0x00401D00 into it?

Is it just AAAAAAAAA."0x00401D00"?

Expert Comment

ID: 17900497
Darence, what processor architecture are you coding for?
Let's say you determine that return address for current function is 0x01234567. How did you figure it out? what memory location did you read to get the information? let's call (i.e. name) that memory location 'ret_addr_loc'. now what you do is overwrite the 32bit value (0x01234567) at that location with the new value (0x00401D00).

for x86 based processors the assembly code is
mov [ret_addr_loc], 0x00401D00
depending on what compiler you are using the ways to incorporate assembly code into C++ code will differ. look up the documentation for your compiler.

Author Comment

ID: 17904699
I am using DEV-C++
Output is a .exe file.
From my sample assignment,
To get the address: 401328.
they use: "\x28\x13\x40"

Please advice.

Expert Comment

ID: 17904738
can you post the code snippet?

The machine you are using is little-endian. see for details. basically, in the group of four bytes the least significant byte is stored first, then the next significant and so on. e.g. while you write 0x2357 (two bytes) as 00100011 01010111 in binary it is stored as 01010111 00100011 i.e. 0x57 0x23 in memory. So, your string when interpreted as int becomes 0x401328. now recall the fact that C-style strings are null terminated. that adds a zero at the end making a total of 4 bytes, x28 x13 x40 x00. this becomes 0x00401328 when interpreted as an integer.

Author Comment

ID: 17911252

I am given this EXE file.
Main thing is using a perl file to invoke the illegal BAR function..
Upon executing, the BAR address will be shown.
I am supposed to find the numbers of A ( being 41 ) before it goes to the return function.

I calculated it to be 20 A.. but now i do not know how to make the program GO to the bar address.

The syntax of using it is : hackme 3219914 AAAAAAAAAAblah blah blah..

If you manage to "change" the return address to BAR.
You should get a MSG saying I HAVE BEEN HACKED.


Author Comment

ID: 17911261
This is a sample of the perl file i am talking about.
$arg = "3219914 AAAAAAAAAAAAAAAAAAAA"."\x50\x1E\x40";
$cmd = "hackme ".$arg;

It seems that IF i use this "\x50\x1E\x40";
I am able to get into a BAR4 FUNCTION..
Which should not be the case as i should be getting into a BAR function..

Expert Comment

ID: 17912414
you should be getting inside bar0 function. Get XVI32 from No installation is required. just unzip ALL files into one directory & run xvi32.exe. Open hackme.exe from it and search for "I have been hacked". You will find that the string preceding it is "Inside bar0 function. \n"

Author Comment

ID: 17919335
I found it..
So what can i do?
This program is supposed to GET INTO bar0 function.
But IF i knoe the address, how am i going to "translate" that into whatever language is x50\x1E\x40.... :)

Accepted Solution

jhshukla earned 30 total points
ID: 18129051
I think it is probably too late for your assignment but this link might help you for oncoming projects: Get PEBrowse Professional.

Install and open the prog. Open hackme.exe with this prog.
Search for "bar4". Scroll up to the nearest location where you see "; <==0x0040xxxx(*+0xxxx), ...". This means that code jumps to current location from these listed addresses. the numbers inside () are offsets from current location.
Current location is 0x00401E50. This turns out to be your "magic" string that you use to get into bar4. You will see that it is linked from three different addresses.

Now search for bar0. similarly scroll up to find a location which is linked from three different addresses. There is also one link target right before PUSH call. Instinct tells me that this is probably not the desired address. The desired address is 0x00401C90. Try it. If that does not work, brute force your way going forward one instruction at a time.

Expert Comment

ID: 18129070
hackme.exe Section .text (0x00401000)
0x401C90: 55                     PUSH        EBP                ; <==0x00402343(*+0x6B3), 0x00402523(*+0x893), 0x00402703(*+0xA73)
0x401C91: 89E5                   MOV         EBP,ESP            
0x401C93: 83EC08                 SUB         ESP,0x8            
0x401C96: 83C4F8                 ADD         ESP,0xF8          
0x401C99: 6810404000             PUSH        0x404010           ; .text:0x55 0x89 0xE5 0x83
0x401C9E: 83C4F8                 ADD         ESP,0xF8           ; <==0x00401C6C(*-0x32)
0x401CA1: 68631C4000             PUSH        0x401C63           ; .text:Inside bar0 function. |
0x401CA6: 6828304100             PUSH        0x413028           ; .data:,0A
0x401CAB: E8FC1E0000             CALL        0x403BAC          
0x401CB0: 83C410                 ADD         ESP,0x10          
0x401CB3: 89C0                   MOV         EAX,EAX            
0x401CB5: 50                     PUSH        EAX                
0x401CB6: E8B5F90000             CALL        0x411670          
0x401CBB: 83C410                 ADD         ESP,0x10          
0x401CBE: 83C4F8                 ADD         ESP,0xF8          
0x401CC1: 6810404000             PUSH        0x404010           ; .text:0x55 0x89 0xE5 0x83
0x401CC6: 83C4F8                 ADD         ESP,0xF8          
0x401CC9: 687B1C4000             PUSH        0x401C7B           ; .text:I have been hacked!|
0x401CCE: 6828304100             PUSH        0x413028           ; .data:,0A
0x401CD3: E8D41E0000             CALL        0x403BAC          
0x401CD8: 83C410                 ADD         ESP,0x10          
0x401CDB: 89C0                   MOV         EAX,EAX            
0x401CDD: 50                     PUSH        EAX                
0x401CDE: E88DF90000             CALL        0x411670          
0x401CE3: 83C410                 ADD         ESP,0x10          
0x401CE6: C9                     LEAVE                          
0x401CE7: C3                     RET                            

hackme.exe Section .text (0x00401000)
0x401E50: 55                     PUSH        EBP                ; <==0x004025E3(*+0x793), 0x00402403(*+0x5B3), 0x004027C3(*+0x973)
0x401E51: 89E5                   MOV         EBP,ESP            
0x401E53: 83EC08                 SUB         ESP,0x8            
0x401E56: 83C4F8                 ADD         ESP,0xF8          
0x401E59: 6810404000             PUSH        0x404010           ; .text:0x55 0x89 0xE5 0x83
0x401E5E: 83C4F8                 ADD         ESP,0xF8          
0x401E61: 68381E4000             PUSH        0x401E38           ; .text:Inside bar4 function. |
0x401E66: 6828304100             PUSH        0x413028           ; .data:,0A
0x401E6B: E83C1D0000             CALL        0x403BAC          
0x401E70: 83C410                 ADD         ESP,0x10          
0x401E73: 89C0                   MOV         EAX,EAX            
0x401E75: 50                     PUSH        EAX                
0x401E76: E8F5F70000             CALL        0x411670          
0x401E7B: 83C410                 ADD         ESP,0x10          
0x401E7E: 83C4F8                 ADD         ESP,0xF8          
0x401E81: 6810404000             PUSH        0x404010           ; .text:0x55 0x89 0xE5 0x83
0x401E86: 83C4F8                 ADD         ESP,0xF8          
0x401E89: 687B1C4000             PUSH        0x401C7B           ; .text:I have been hacked!|
0x401E8E: 6828304100             PUSH        0x413028           ; .data:,0A
0x401E93: E8141D0000             CALL        0x403BAC          
0x401E98: 83C410                 ADD         ESP,0x10          
0x401E9B: 89C0                   MOV         EAX,EAX            
0x401E9D: 50                     PUSH        EAX                
0x401E9E: E8CDF70000             CALL        0x411670          
0x401EA3: 83C410                 ADD         ESP,0x10          
0x401EA6: C9                     LEAVE                          
0x401EA7: C3                     RET                            

Expert Comment

ID: 18129108
btw, i just figured that 0x00401D00 is bar1. are you, by any chance, trying to return to bar1 from bar0?

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Fully specialized class template function 21 147
VS2015 compilation and missing DLLs 9 181
Embarcadero C++ Builder XE2 TDateTime 8 80
GUI: DIalog Stacking and Popping in MS C++ 4 88
Unlike C#, C++ doesn't have native support for sealing classes (so they cannot be sub-classed). At the cost of a virtual base class pointer it is possible to implement a pseudo sealing mechanism The trick is to virtually inherit from a base class…
  Included as part of the C++ Standard Template Library (STL) is a collection of generic containers. Each of these containers serves a different purpose and has different pros and cons. It is often difficult to decide which container to use and …
The viewer will learn how to pass data into a function in C++. This is one step further in using functions. Instead of only printing text onto the console, the function will be able to perform calculations with argumentents given by the user.
The viewer will learn how to clear a vector as well as how to detect empty vectors in C++.

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question